ci: auto merge dependabot

[NguyenHoangSon96]

Closes #

Proposed Changes

• Setup auto approve and merge for Dependabot PRs.

Checklist

• CHANGELOG.md updated
• Rebased/mergeable
• A test has been added if appropriate
• mvn test completes successfully
• Commit messages are conventional
• Sign CLA (if not already signed)

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.84%. Comparing base (93d6ce8) to head (df93430).
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff            @@
##             master     #867   +/-   ##
=========================================
  Coverage     88.84%   88.84%           
  Complexity      789      789           
=========================================
  Files           174      174           
  Lines          7282     7282           
  Branches        421      421           
=========================================
  Hits           6470     6470           
  Misses          680      680           
  Partials        132      132           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Adds GitHub Actions automation to auto-approve and enable auto-merge for Dependabot pull requests.

Changes:

• Added a new workflow to approve Dependabot PRs and enable squash auto-merge.
• Updated CHANGELOG.md to record the CI change.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
CHANGELOG.md	Adds a CI entry documenting the Dependabot auto-merge setup.
.github/workflows/dependabot-auto-merge.yml	Introduces a workflow that approves Dependabot PRs and enables auto-merge via gh.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Using on: pull_request for Dependabot PRs typically results in a read-only GITHUB_TOKEN (and secrets are not provided), so the gh pr review/merge commands will fail despite the permissions block. Consider switching to pull_request_target (and avoid checking out PR code) and/or explicitly validating github.event.pull_request.user.login == 'dependabot[bot]' before performing write operations.

Suggested change

	on: pull_request
	jobs:
	automerge:
	if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]'
	on: pull_request_target
	jobs:
	automerge:
	if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'dependabot-preview[bot]'

[Copilot]

This workflow runs with write permissions and uses a third-party action (dependabot/fetch-metadata@v3). To reduce supply-chain risk, pin the action to a specific commit SHA (and optionally use Renovate/Dependabot to keep it updated) rather than a mutable tag.

Suggested change

	uses: dependabot/fetch-metadata@v3
	uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7