Pull main into develop

.github/dependabot.yml

@@ -6,7 +6,8 @@
 version: 2
 updates:
   - package-ecosystem: "github-actions" # See documentation for possible values
-    directory: ".github/workflows" # Location of package manifests
+    directory: "/"
+    target-branch: "admin"
     schedule:
       interval: "monthly"
     groups:
@@ -17,6 +18,7 @@ updates:
   # Maintain dependencies for pip
   - package-ecosystem: "pip"
     directory: "/" # Location of package manifests
+    target-branch: "admin"
     registries: "*"
     labels:
       - "pip dependencies"

.github/workflows/admin-orchestrator.yml

@@ -0,0 +1,101 @@
+name: Admin branch orchestration
+
+on:
+  create:
+
+  push:
+    branches:
+      - "main"
+      - "develop"
+
+  schedule:
+    - cron: "0 3 * * 1"   # Weekly, Monday 03:00 UTC
+
+  workflow_dispatch:
+
+  pull_request:
+    branches:
+      - admin
+  pull_request_review:
+    types:
+      - submitted
+  check_suite:
+    types:
+      - completed
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  admin-orchestrator:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # ------------------------------------------------------------
+      # Use fixed base branch: develop
+      # ------------------------------------------------------------
+      - name: Set base branch
+        id: default
+        run: |
+          echo "branch=develop" >> "$GITHUB_OUTPUT"
+
+      # ------------------------------------------------------------
+      # Ensure admin branch exists
+      # ------------------------------------------------------------
+      - name: Ensure admin branch exists
+        run: |
+          if git show-ref --verify --quiet refs/remotes/origin/admin; then
+            echo "admin branch already exists"
+          else
+            git checkout "${{ steps.default.outputs.branch }}"
+            git checkout -b admin
+            git push origin admin
+          fi
+
+      # ------------------------------------------------------------
+      # Periodically rebase admin onto develop (true rebase)
+      # ------------------------------------------------------------
+      - name: Rebase admin onto default
+        if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
+        run: |
+          set -e
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          git fetch origin
+          git checkout admin
+
+          # Rebase admin commits on top of develop
+          git rebase origin/${{ steps.default.outputs.branch }}
+
+          # Push updated admin branch
+          git push --force-with-lease origin admin
+
+      # ------------------------------------------------------------
+      # Guardrail: warn if non-Dependabot PR targets admin
+      # (no hard failure without branch protection)
+      # ------------------------------------------------------------
+      - name: Warn on non-Dependabot PRs
+        if: github.event_name == 'pull_request'
+        run: |
+          if [[ "${{ github.actor }}" != "dependabot[bot]" ]]; then
+            echo "::warning::PR to admin opened by non-Dependabot actor"
+          fi
+
+      # ------------------------------------------------------------
+      # Auto-merge Dependabot PRs
+      # ------------------------------------------------------------
+      - name: Auto-merge Dependabot PR
+        if: |
+          github.event_name == 'pull_request' &&
+          github.event.pull_request.user.login == 'dependabot[bot]'
+        uses: peter-evans/enable-pull-request-automerge@v3
+        with:
+          pull-request-number: ${{ github.event.pull_request.number }}
+          merge-method: squash