configure dependabot to open PR and approve the changes

Author: acosferreira

.github/dependabot.yml

@@ -0,0 +1,62 @@
+version: 2
+updates:
+  # Python dependencies
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    target-branch: "ana/aap-52843-mergify"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "python"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    # Ignore major version updates (too risky for auto-merge)
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
+  # Admin Portal npm dependencies
+  - package-ecosystem: "npm"
+    directory: "/ansible_ai_connect_admin_portal"
+    schedule:
+      interval: "daily"
+    target-branch: "ana/aap-52843-mergify"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "javascript"
+      - "admin-portal"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+
+  # Chatbot npm dependencies
+  - package-ecosystem: "npm"
+    directory: "/ansible_ai_connect_chatbot"
+    schedule:
+      interval: "daily"
+    target-branch: "ana/aap-52843-mergify"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "javascript"
+      - "chatbot"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    target-branch: "ana/aap-52843-mergify"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "ci"

.github/mergify.yml

@@ -0,0 +1,83 @@
+queue_rules:
+  - name: ansible-ai-connect-service
+    queue_conditions:
+      - author~=^dependabot(|-preview)\[bot\]$
+      - check-success=Lint
+    merge_conditions:
+      - check-success=pre-commit
+      - check-success=code_coverage
+      - check-success=selftest
+
+pull_request_rules:
+  # Auto-approve security updates for Python
+  - name: Auto-approve Dependabot security updates (Python)
+    conditions:
+      - author=dependabot[bot]
+      - label=security
+      - label=python
+      - check-success=pre-commit
+      - check-success=selftest  # pip_compile check
+      - check-success=pip_audit
+      - check-success=pyright
+      - "#changes-requested-reviews-by=0"
+      - "#review-requested=0"
+    actions:
+      review:
+        type: APPROVE
+        message: "Dependabot security PR auto-approved. Manual merge required."
+
+  # Auto-approve security updates for Admin Portal
+  - name: Auto-approve Dependabot security updates (Admin Portal)
+    conditions:
+      - author=dependabot[bot]
+      - label=security
+      - label=admin-portal
+      - check-success=pre-commit
+      - check-success=ui_compile
+      - check-success=npm_audit
+      - "#changes-requested-reviews-by=0"
+      - "#review-requested=0"
+    actions:
+      review:
+        type: APPROVE
+        message: "Dependabot security PR auto-approved. Manual merge required."
+
+  # Auto-approve security updates for Chatbot
+  - name: Auto-approve Dependabot security updates (Chatbot)
+    conditions:
+      - author=dependabot[bot]
+      - label=security
+      - label=chatbot
+      - check-success=pre-commit
+      - check-success=ui_compile_chatbot
+      - check-success=npm_audit_chatbot
+      - "#changes-requested-reviews-by=0"
+      - "#review-requested=0"
+    actions:
+      review:
+        type: APPROVE
+        message: "Dependabot security PR auto-approved. Manual merge required."
+
+  # Auto-approve security updates for GitHub Actions
+  - name: Auto-approve Dependabot security updates (GitHub Actions)
+    conditions:
+      - author=dependabot[bot]
+      - label=security
+      - label=github-actions
+      - check-success=pre-commit
+      - "#changes-requested-reviews-by=0"
+      - "#review-requested=0"
+    actions:
+      review:
+        type: APPROVE
+        message: "Dependabot security PR auto-approved. Manual merge required."
+
+  # Auto-approve non-security updates but don't merge
+  - name: Auto-approve non-security Dependabot PRs
+    conditions:
+      - author=dependabot[bot]
+      - -label=security
+    actions:
+      review:
+        type: APPROVE
+        message: "Dependabot PR auto-approved. Manual merge required for non-security updates."

.github/workflows/dependabot_pip_compile.yml

@@ -0,0 +1,36 @@
+name: Dependabot - Update pip lockfiles
+
+on:
+  pull_request:
+    paths:
+      - 'requirements.in'
+      - 'requirements-dev.in'
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-lockfiles:
+    if: github.actor == 'dependabot[bot]' && github.head_ref == 'ana/aap-52843-mergify'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run pip-compile
+        run: make pip-compile
+
+      - name: Commit lockfile changes
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add requirements*.txt
+          if git diff --staged --quiet; then
+            echo "No lockfile changes needed"
+          else
+            git commit -m "chore: update pip lockfiles for Dependabot PR"
+            git push
+          fi

.mergify.yml

@@ -192,6 +192,56 @@ To update the pre-commit config to the latest repos' versions and run the precom
 pre-commit autoupdate && pre-commit run -a
 ```
 
+## Automated Dependency Updates
+
+This project uses Dependabot and Mergify to automatically manage dependencies and security updates.
+
+### How It Works
+
+1. **Dependabot** checks daily for dependency updates across:
+   - Python packages (requirements.in)
+   - npm packages (admin portal & chatbot)
+   - GitHub Actions
+
+2. **Security updates** (CVEs) are automatically merged when:
+   - All CI/CD tests pass
+   - No merge conflicts exist
+   - No change requests from reviewers
+
+3. **Non-security updates** create PRs for manual review
+
+### Managing Dependabot PRs
+
+**To approve a non-security update:**
+- Review the PR changes and test results
+- Click "Merge pull request" in GitHub UI
+
+**To reject an update:**
+- Close the PR with a comment explaining why
+- Or add to `.github/dependabot.yml`:
+  ```yaml
+  ignore:
+    - dependency-name: "package-name"
+      versions: ["x.y.z"]
+  ```
+
+**To temporarily pin a version:**
+```python
+# In requirements.in, add comment:
+package-name==1.2.3  # Pinned due to issue #XYZ
+```
+
+**To disable auto-merge for a specific PR:**
+- Request changes in a review
+- OR add label `no-auto-merge` (requires Mergify config update)
+
+### Monitoring
+
+- **Security advisories:** GitHub Security tab
+- **Merged updates:** Check commits by `dependabot[bot]`
+- **Mergify dashboard:** https://dashboard.mergify.com
+- **Metrics:** Monthly report in team meeting
+
 ## Updating the Python dependencies
 
 We are now using pip-compile in order to manage our Python