From b9f277851c81aac752779d971f559fb3580caf71 Mon Sep 17 00:00:00 2001
From: Colin Murphy <colin.murphy@wpengine.com>
Date: Mon, 22 Jun 2026 17:18:36 +0100
Subject: [PATCH 1/3] chore: Added Dependabot automation.

---
 .github/CODEOWNERS                           |   9 ++
 .github/dependabot.yaml                      | 110 +++++++++++++++++++
 .github/workflows/dependabot-automation.yaml |  29 +++++
 3 files changed, 148 insertions(+)
 create mode 100644 .github/dependabot.yaml
 create mode 100644 .github/workflows/dependabot-automation.yaml

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 48242cce..b59d7d26 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1 +1,10 @@
 * @wpengine/headless-open-source @wpengine/spcs
+
+# Dependency files: bot is co-owner so its approval satisfies CODEOWNERS for Dependabot PRs
+package.json @wpe-ie-deploy-bot @wpengine/headless-open-source @wpengine/spcs
+package-lock.json @wpe-ie-deploy-bot @wpengine/headless-open-source @wpengine/spcs
+composer.json @wpe-ie-deploy-bot @wpengine/headless-open-source @wpengine/spcs
+composer.lock @wpe-ie-deploy-bot @wpengine/headless-open-source @wpengine/spcs
+Dockerfile @wpe-ie-deploy-bot @wpengine/headless-open-source @wpengine/spcs
+docker-compose.yml @wpe-ie-deploy-bot @wpengine/headless-open-source @wpengine/spcs
+.github/workflows/ @wpe-ie-deploy-bot @wpengine/headless-open-source @wpengine/spcs
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
new file mode 100644
index 00000000..4bc99d20
--- /dev/null
+++ b/.github/dependabot.yaml
@@ -0,0 +1,110 @@
+version: 2
+updates:
+  # npm (root monorepo — workspaces cover packages/* and plugins/*)
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  # composer (plugins)
+  - package-ecosystem: "composer"
+    directory: "/plugins/hwp-cli"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  - package-ecosystem: "composer"
+    directory: "/plugins/hwp-previews"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  - package-ecosystem: "composer"
+    directory: "/plugins/wpgraphql-debug-extensions"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  - package-ecosystem: "composer"
+    directory: "/plugins/wpgraphql-logging"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  - package-ecosystem: "composer"
+    directory: "/plugins/wpgraphql-webhooks"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  # docker (Dockerfiles)
+  - package-ecosystem: "docker"
+    directory: "/plugins/hwp-previews/.docker"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  - package-ecosystem: "docker"
+    directory: "/plugins/wpgraphql-logging/.docker"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  # docker (docker-compose)
+  - package-ecosystem: "docker"
+    directory: "/plugins/hwp-previews"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  - package-ecosystem: "docker"
+    directory: "/plugins/wpgraphql-debug-extensions"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  - package-ecosystem: "docker"
+    directory: "/plugins/wpgraphql-logging"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  - package-ecosystem: "docker"
+    directory: "/plugins/wpgraphql-webhooks"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  # github-actions
+  - package-ecosystem: "github-actions"
+    directory: "/.github/workflows"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
diff --git a/.github/workflows/dependabot-automation.yaml b/.github/workflows/dependabot-automation.yaml
new file mode 100644
index 00000000..47d5d54b
--- /dev/null
+++ b/.github/workflows/dependabot-automation.yaml
@@ -0,0 +1,29 @@
+name: Dependabot Automation
+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{github.actor == 'dependabot[bot]'}}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v3.1.0
+        with:
+          github-token: "${{secrets.GITHUB_TOKEN}}"
+      - name: Approve PR
+        if: ${{steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.DEPENDABOT_APPROVER_TOKEN}}
+        run: gh pr review --approve "$PR_URL"
+      - name: Enable auto-merge
+        if: ${{steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        run: gh pr merge --auto --squash "$PR_URL"

From e6688f3d8fef2d8467bd43ea1002bac6fa02c5b8 Mon Sep 17 00:00:00 2001
From: Colin Murphy <colin.murphy@wpengine.com>
Date: Mon, 22 Jun 2026 17:20:30 +0100
Subject: [PATCH 2/3] chore: Automatically approve release PR's so we avoid
 stale releases.

---
 .github/workflows/create-release-branch.yml | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/create-release-branch.yml b/.github/workflows/create-release-branch.yml
index e0bef01b..e195c054 100644
--- a/.github/workflows/create-release-branch.yml
+++ b/.github/workflows/create-release-branch.yml
@@ -130,8 +130,8 @@ jobs:
             git commit -m "chore: apply version bump from changesets for ${{ steps.plugin.outputs.slug }}"
             git push origin "$BRANCH_NAME"
 
-            # Create PR
-            gh pr create \
+            # Create PR and capture URL for auto-merge steps
+            RELEASE_PR_URL=$(gh pr create \
               --title "Release: ${{ steps.plugin.outputs.slug }} version bump" \
               --body "Automated release PR for ${{ steps.plugin.outputs.slug }} plugin.
 
@@ -139,8 +139,21 @@ jobs:
 
             Plugin: ${{ steps.plugin.outputs.slug }}" \
               --base main \
-              --head "$BRANCH_NAME"
+              --head "$BRANCH_NAME")
+            echo "RELEASE_PR_URL=$RELEASE_PR_URL" >> $GITHUB_ENV
           fi
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Approve release PR
+        if: env.RELEASE_PR_URL != ''
+        env:
+          GH_TOKEN: ${{ secrets.RELEASE_PAT }}
+        run: gh pr review --approve "$RELEASE_PR_URL"
+
+      - name: Enable auto-merge on release PR
+        if: env.RELEASE_PR_URL != ''
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh pr merge --auto --squash "$RELEASE_PR_URL"

From 79c6e032032e5c7404247c0176a955cce7305ed0 Mon Sep 17 00:00:00 2001
From: Colin Murphy <colin.murphy@wpengine.com>
Date: Mon, 22 Jun 2026 19:46:18 +0100
Subject: [PATCH 3/3] Added sha for dependabot version. Removed bot from being
 able to update workflows.

---
 .github/CODEOWNERS                           | 1 -
 .github/workflows/dependabot-automation.yaml | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index b59d7d26..f4a3a5d5 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -7,4 +7,3 @@ composer.json @wpe-ie-deploy-bot @wpengine/headless-open-source @wpengine/spcs
 composer.lock @wpe-ie-deploy-bot @wpengine/headless-open-source @wpengine/spcs
 Dockerfile @wpe-ie-deploy-bot @wpengine/headless-open-source @wpengine/spcs
 docker-compose.yml @wpe-ie-deploy-bot @wpengine/headless-open-source @wpengine/spcs
-.github/workflows/ @wpe-ie-deploy-bot @wpengine/headless-open-source @wpengine/spcs
diff --git a/.github/workflows/dependabot-automation.yaml b/.github/workflows/dependabot-automation.yaml
index 47d5d54b..ef200d49 100644
--- a/.github/workflows/dependabot-automation.yaml
+++ b/.github/workflows/dependabot-automation.yaml
@@ -12,7 +12,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v3.1.0
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
         with:
           github-token: "${{secrets.GITHUB_TOKEN}}"
       - name: Approve PR