ci: auto-approve and auto-merge patch dependabot PRs (#63)

GITHUB_TOKEN can't approve its own PRs when reviews are required.
Only auto-merge patch updates, not minor.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: FBumann

.github/workflows/dependabot-auto-merge.yml

@@ -1,24 +1,39 @@
 name: Dependabot auto-merge
-on: pull_request
+
+on:
+  pull_request:
 
 permissions:
   contents: write
   pull-requests: write
 
 jobs:
-  dependabot:
-    runs-on: ubuntu-latest
+  auto-merge:
+    name: Auto-merge patch
     if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-24.04
     steps:
-      - name: Dependabot metadata
+      - uses: dependabot/fetch-metadata@v2
         id: metadata
-        uses: dependabot/fetch-metadata@v2
+
+      - name: Generate app token
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        id: app-token
+        uses: actions/create-github-app-token@v2
         with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: Approve PR
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr review "$PR" --approve
+        env:
+          PR: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
 
-      - name: Auto-merge minor and patch updates
-        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
-        run: gh pr merge --auto --squash "$PR_URL"
+      - name: Enable auto-merge
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr merge "$PR" --auto --squash
         env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ github.token }}