From 37384c53b35b648ad7b41ce0319dd893dba6f110 Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 18:52:37 +0100
Subject: [PATCH 1/8] ci: update Dependabot auto-merge workflow

---
 .github/workflows/dependabot-auto-merge.yml | 30 +++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 .github/workflows/dependabot-auto-merge.yml

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
new file mode 100644
index 00000000..e96eda60
--- /dev/null
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,30 @@
+name: Dependabot Auto-Merge
+
+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Approve PR
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Auto-merge PR
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 3c33111829bb9e6ab4050f014b100cad44652bb3 Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 19:23:33 +0100
Subject: [PATCH 2/8] ci: add semver filtering to Dependabot auto-merge
 (patch/minor only)

---
 .github/workflows/dependabot-auto-merge.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index e96eda60..26085a8a 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -17,13 +17,15 @@ jobs:
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
-      - name: Approve PR
+      - name: Approve patch and minor updates
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
         run: gh pr review --approve "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Auto-merge PR
+      - name: Auto-merge patch and minor updates
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
         run: gh pr merge --auto --squash "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}

From 86ada18ebe181458562cd44081b9d6e8022dd247 Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 19:28:00 +0100
Subject: [PATCH 3/8] ci: configure Dependabot version updates targeting
 develop

---
 .github/dependabot.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..15f504b3
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    target-branch: "develop"
+    open-pull-requests-limit: 5
+    groups:
+      minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    target-branch: "develop"

From a4a0423a77c8c72396adeaf1852257062d3d1731 Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 19:39:07 +0100
Subject: [PATCH 4/8] ci: add pull_request_target trigger for Dependabot CI
 compatibility

---
 .github/workflows/ci.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2ffa64fb..ae7982b7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,8 +4,12 @@ on:
     branches: [develop]
   pull_request:
     branches: [develop, main]
+  pull_request_target:
+    branches: [develop, main]
 jobs:
   lint-and-test:
+    if: github.event_name \!= 'pull_request_target' || github.actor == 'dependabot[bot]'
     uses: fireflyframework/.github/.github/workflows/python-ci.yml@main
     with:
       python-version: '3.13'
+      checkout-ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}

From 2af4ab780e4ea312afb9610bd4b94eb2bcdea4ba Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 19:52:19 +0100
Subject: [PATCH 5/8] ci: revert ci.yml to original triggers
 (pull_request_target moved to separate file)

---
 .github/workflows/ci.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ae7982b7..2ffa64fb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,12 +4,8 @@ on:
     branches: [develop]
   pull_request:
     branches: [develop, main]
-  pull_request_target:
-    branches: [develop, main]
 jobs:
   lint-and-test:
-    if: github.event_name \!= 'pull_request_target' || github.actor == 'dependabot[bot]'
     uses: fireflyframework/.github/.github/workflows/python-ci.yml@main
     with:
       python-version: '3.13'
-      checkout-ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}

From b0fa2e3019dc5ad62f0e71ffc302b734558f5543 Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 19:53:34 +0100
Subject: [PATCH 6/8] ci: add separate Dependabot CI workflow using
 pull_request_target

---
 .github/workflows/dependabot-ci.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 .github/workflows/dependabot-ci.yml

diff --git a/.github/workflows/dependabot-ci.yml b/.github/workflows/dependabot-ci.yml
new file mode 100644
index 00000000..30f89760
--- /dev/null
+++ b/.github/workflows/dependabot-ci.yml
@@ -0,0 +1,11 @@
+name: Dependabot CI
+on:
+  pull_request_target:
+    branches: [develop, main]
+jobs:
+  lint-and-test:
+    if: github.actor == 'dependabot[bot]'
+    uses: fireflyframework/.github/.github/workflows/python-ci.yml@main
+    with:
+      python-version: '3.13'
+      checkout-ref: ${{ github.event.pull_request.head.sha }}

From b444bf513578b3072dc70ac25a0de975521e0c70 Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 20:00:44 +0100
Subject: [PATCH 7/8] ci: inline Dependabot CI build (cross-repo reusable
 workflows unsupported for Dependabot)

---
 .github/workflows/dependabot-ci.yml | 53 ++++++++++++++++++++++++++---
 1 file changed, 49 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/dependabot-ci.yml b/.github/workflows/dependabot-ci.yml
index 30f89760..0672e2d3 100644
--- a/.github/workflows/dependabot-ci.yml
+++ b/.github/workflows/dependabot-ci.yml
@@ -2,10 +2,55 @@ name: Dependabot CI
 on:
   pull_request_target:
     branches: [develop, main]
+
+permissions:
+  contents: read
+  statuses: write
+
 jobs:
   lint-and-test:
+    runs-on: ubuntu-latest
     if: github.actor == 'dependabot[bot]'
-    uses: fireflyframework/.github/.github/workflows/python-ci.yml@main
-    with:
-      python-version: '3.13'
-      checkout-ref: ${{ github.event.pull_request.head.sha }}
+    steps:
+      - name: Checkout PR code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+
+      - name: Set up Python 3.13
+        run: uv python install 3.13
+
+      - name: Install dependencies
+        run: uv sync --all-extras
+
+      - name: Lint with ruff
+        run: |
+          uv run ruff check .
+          uv run ruff format --check .
+
+      - name: Type check with pyright
+        run: uv run pyright
+
+      - name: Run tests
+        run: uv run pytest --cov --cov-report=term-missing
+
+      - name: Report build status
+        if: always()
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [ "${{ job.status }}" = "success" ]; then
+            STATE="success"
+            DESC="Dependabot build passed"
+          else
+            STATE="failure"
+            DESC="Dependabot build failed"
+          fi
+          gh api "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \
+            -f state="$STATE" \
+            -f context="lint-and-test / lint-and-test" \
+            -f description="$DESC" \
+            -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"

From 5c639690214f54c49a1d0e8aa904dd9911cfc06f Mon Sep 17 00:00:00 2001
From: Andres Contreras <me@ancongui.com>
Date: Tue, 10 Feb 2026 20:33:44 +0100
Subject: [PATCH 8/8] ci: grant actions:write permission in caller for DAG
 orchestrator