NHSDigital · saptarshimandal1 · Mar 3, 2026 · Mar 3, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,81 +1,46 @@
-# .github/dependabot.yml
 version: 2
 updates:
 
-  #######################################
-  #  GitHub Actions (Security Best Practice)
-  #######################################
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    labels:
-      - "dependabot"
-    commit-message:
-      prefix: "deps"
-      include: "scope"
-
-  #######################################
-  #  Python (pip) — e.g., requirements.txt
-  #######################################
+  # --- Python (Poetry via pip ecosystem) ---
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
       interval: "daily"
-    labels:
-      - "dependabot"
-    commit-message:
-      prefix: "pip"
-      include: "scope"
-
-  #######################################
-  #  Docker Dependencies — updates FROM images
-  #######################################
-  - package-ecosystem: "docker"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    labels:
-      - "dependabot"
-    commit-message:
-      prefix: "docker"
-      include: "scope"
+    target-branch: "master"
+    labels: ["dependencies", "python", "poetry"]
+    open-pull-requests-limit: 10
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
 
-  #######################################
-  #  Maven (pom.xml)
-  #######################################
-  - package-ecosystem: "maven"
+  # --- NodeJS (root) ---
+  - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "daily"
-    labels:
-      - "dependabot"
-    commit-message:
-      prefix: "maven"
-      include: "scope"
+    target-branch: "master"
+    labels: ["dependencies", "npm"]
+    open-pull-requests-limit: 10
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
 
-  #######################################
-  #  Gradle (build.gradle, gradle.properties)
-  #######################################
-  - package-ecosystem: "gradle"
-    directory: "/"
+  # --- NodeJS (sandbox/) ---
+  - package-ecosystem: "npm"
+    directory: "/sandbox"
     schedule:
       interval: "daily"
-    labels:
-      - "dependabot"
-    commit-message:
-      prefix: "gradle"
-      include: "scope"
+    target-branch: "master"
+    labels: ["dependencies", "npm", "sandbox"]
+    open-pull-requests-limit: 10
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
 
-  #######################################
-  #  JavaScript (npm / package.json)
-  #######################################
-  - package-ecosystem: "npm"
+  # --- GitHub Actions ---
+  - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
-    labels:
-      - "dependabot"
-    commit-message:
-      prefix: "npm"
-      include: "scope"
+    target-branch: "master"
+    labels: ["dependencies", "github-actions"]
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -1,47 +1,36 @@
 name: Dependabot auto-merge
 
 on:
-  pull_request:
+  pull_request_target:
+    types: [opened, reopened, synchronize, ready_for_review]
 
 permissions:
   contents: write
   pull-requests: write
 
 jobs:
-  dependabot:
-    name: Approve & auto-merge Dependabot PRs
+  automerge:
+    name: Auto-merge Dependabot patch updates
     runs-on: ubuntu-latest
 
-    # Only run for PRs opened by Dependabot
+    # Only run on Dependabot PRs
     if: github.event.pull_request.user.login == 'dependabot[bot]'
 
     steps:
-      # 1) Fetch Dependabot metadata (pinned SHA + tag comment for humans/renovators)
-      - name: Dependabot metadata
-        id: metadata
-        uses: dependabot/fetch-metadata@21025c7d3b7c1eb5122b2f4f30b18d6c8b8c52df
+      - name: Fetch Dependabot metadata
+        id: meta
+        uses: dependabot/fetch-metadata@v2
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-      # 2) (Optional) Log what’s being updated for troubleshooting
-      - name: Summarize update
-        run: |
-          echo "Dependencies: ${{ steps.metadata.outputs.dependency-names }}"
-          echo "Update type:  ${{ steps.metadata.outputs.update-type }}"
-
-      # 3) Approve the PR (required if code owner reviews are enforced)
-      - name: Approve Dependabot PR
+      - name: Approve PR
         run: gh pr review --approve "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      # 4) Enable auto-merge for safe updates (patch + minor).
-      #    Adjust the condition if you want patch-only or include majors.
-      - name: Enable auto-merge (patch/minor)
-        if: |
-          steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
-          steps.metadata.outputs.update-type == 'version-update:semver-minor'
+      - name: Auto-merge patch updates only
+        if: steps.meta.outputs.update-type == 'version-update:semver-patch'
         run: gh pr merge --auto --squash "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}