From 27c358846978af3ec07c48081b5f3a18995e1087 Mon Sep 17 00:00:00 2001
From: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
Date: Fri, 28 Feb 2025 09:08:55 +0100
Subject: [PATCH 1/8] Update dependabot policy

Try to reach an optimum between low-effort, low risk but high reward (security-wise) in automated updates

Signed-off-by: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
---
 .github/dependabot.yml | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 273fff0..535c765 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,11 +1,28 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-
 version: 2
 updates:
-  - package-ecosystem: "maven" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  # Patch-level updates (e.g., 1.1.x) will be merged into `main` automatically as a single MR
+  - package-ecosystem: "maven"
+    directory: "/"
     schedule:
       interval: "weekly"
+    commit-message:
+      prefix: "chore"
+    open-pull-requests-limit: 1 # Limit a single MR for all updates
+    target-branch: "main"
+    versioning-strategy: "increase-patch" 
+    pull-request-branch-name: "dependabot/patch-updates"
+    # Merge automatically:
+    auto-merge: true
+
+  # Minor-level updates (e.g., 1.x.0) will not be merged automatically, but be consolidated into a single MR
+  - package-ecosystem: "maven"
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "monthly"
+    commit-message:
+      prefix: "chore"
+    open-pull-requests-limit: 1
+    target-branch: "main"
+    versioning-strategy: "increase-minor" 
+    pull-request-branch-name: "dependabot/minor-updates"
+    auto-merge: false

From 4550b97d040997b87c55099d650d8d01671c46b3 Mon Sep 17 00:00:00 2001
From: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
Date: Fri, 28 Feb 2025 09:13:08 +0100
Subject: [PATCH 2/8] Only do patch-level for now

Package-ecosystem, directory, and target-branch need to be unique over policies, so the first intention was not accepted

Signed-off-by: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
---
 .github/dependabot.yml | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 535c765..cf2bfec 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,18 +11,4 @@ updates:
     target-branch: "main"
     versioning-strategy: "increase-patch" 
     pull-request-branch-name: "dependabot/patch-updates"
-    # Merge automatically:
     auto-merge: true
-
-  # Minor-level updates (e.g., 1.x.0) will not be merged automatically, but be consolidated into a single MR
-  - package-ecosystem: "maven"
-    directory: "/" # Location of package manifests
-    schedule:
-      interval: "monthly"
-    commit-message:
-      prefix: "chore"
-    open-pull-requests-limit: 1
-    target-branch: "main"
-    versioning-strategy: "increase-minor" 
-    pull-request-branch-name: "dependabot/minor-updates"
-    auto-merge: false

From 8fda0686e69561afe95d40039072a88b27c20c68 Mon Sep 17 00:00:00 2001
From: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
Date: Fri, 28 Feb 2025 09:16:32 +0100
Subject: [PATCH 3/8] Fix more small issues with dependabot

Signed-off-by: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
---
 .github/dependabot.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index cf2bfec..56b4326 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,6 +1,6 @@
 version: 2
 updates:
-  # Patch-level updates (e.g., 1.1.x) will be merged into `main` automatically as a single MR
+  # Patch-level updates (e.g., 1.1.x) will be created as a single MR weekly
   - package-ecosystem: "maven"
     directory: "/"
     schedule:
@@ -10,5 +10,3 @@ updates:
     open-pull-requests-limit: 1 # Limit a single MR for all updates
     target-branch: "main"
     versioning-strategy: "increase-patch" 
-    pull-request-branch-name: "dependabot/patch-updates"
-    auto-merge: true

From 2840475b05db2548424590ec4df5a58adb78a362 Mon Sep 17 00:00:00 2001
From: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
Date: Fri, 28 Feb 2025 09:17:57 +0100
Subject: [PATCH 4/8] Fix field name

Signed-off-by: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
---
 .github/dependabot.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 56b4326..1b16d61 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,4 +9,4 @@ updates:
       prefix: "chore"
     open-pull-requests-limit: 1 # Limit a single MR for all updates
     target-branch: "main"
-    versioning-strategy: "increase-patch" 
+    update-types: "patch"

From 6cc16bef8f79ad94b48249c05b8cdc90cdafebcd Mon Sep 17 00:00:00 2001
From: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
Date: Fri, 28 Feb 2025 09:26:11 +0100
Subject: [PATCH 5/8] Documentation-derived dependabot conf

Signed-off-by: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
---
 .github/dependabot.yml | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 1b16d61..cc90583 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,12 +1,16 @@
 version: 2
 updates:
-  # Patch-level updates (e.g., 1.1.x) will be created as a single MR weekly
   - package-ecosystem: "maven"
     directory: "/"
     schedule:
       interval: "weekly"
-    commit-message:
-      prefix: "chore"
-    open-pull-requests-limit: 1 # Limit a single MR for all updates
-    target-branch: "main"
-    update-types: "patch"
+    groups:
+      maven:
+        patterns:
+          - "*:*"
+        update-types:
+          - "patch"
+          - "minor"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]

From a248707dd23181d5fc8989f113dfe7342d2306b6 Mon Sep 17 00:00:00 2001
From: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
Date: Fri, 28 Feb 2025 09:49:44 +0100
Subject: [PATCH 6/8] Give clear PR name

Signed-off-by: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
---
 .github/dependabot.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index cc90583..c19779f 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,6 +11,7 @@ updates:
         update-types:
           - "patch"
           - "minor"
+    pull-request-title: "Apply all minor and patch-level updates for Maven dependencies"
     ignore:
       - dependency-name: "*"
         update-types: ["version-update:semver-major"]

From 9815f7aac6697e9498606ee3bd37cd8410a05d71 Mon Sep 17 00:00:00 2001
From: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
Date: Fri, 28 Feb 2025 09:52:15 +0100
Subject: [PATCH 7/8] Try automerge policy

Signed-off-by: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
---
 .github/workflows/dependabot-automerge.yml | 24 ++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 .github/workflows/dependabot-automerge.yml

diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
new file mode 100644
index 0000000..a0698f2
--- /dev/null
+++ b/.github/workflows/dependabot-automerge.yml
@@ -0,0 +1,24 @@
+name: Dependabot Auto-Merge
+on: pull_request
+
+permissions:
+  pull-requests: write 
+  contents: write
+
+jobs:
+  dependabot-auto-merge:
+    runs-on: ubuntu-latest
+    if: |
+      github.event.pull_request.user.login == 'dependabot[bot]' &&
+      contains(github.event.pull_request.title, 'minor and patch-level')
+    steps:
+      - name: Fetch Pull Request Metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v1
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Merge Pull Request
+        run: gh pr merge --auto "$PR_URL"
+        env:
+          PR_URL: "${{ github.event.pull_request.html_url }}"
+          GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

From 34dc7ba483011ed48d496ee2fc1b8722c924ec0e Mon Sep 17 00:00:00 2001
From: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
Date: Fri, 28 Feb 2025 10:05:34 +0100
Subject: [PATCH 8/8] Improve automerge Action

Signed-off-by: Hugo van der Zwaag <32141052+KoviaX@users.noreply.github.com>
---
 .github/workflows/dependabot-automerge.yml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
index a0698f2..67c826f 100644
--- a/.github/workflows/dependabot-automerge.yml
+++ b/.github/workflows/dependabot-automerge.yml
@@ -1,16 +1,17 @@
 name: Dependabot Auto-Merge
-on: pull_request
+on: 
+  pull_request:
+    types:
+      - opened
 
 permissions:
   pull-requests: write 
-  contents: write
+  contents: read
 
 jobs:
   dependabot-auto-merge:
     runs-on: ubuntu-latest
-    if: |
-      github.event.pull_request.user.login == 'dependabot[bot]' &&
-      contains(github.event.pull_request.title, 'minor and patch-level')
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && startsWith(github.event.pull_request.title, 'Apply all minor and patch-level')
     steps:
       - name: Fetch Pull Request Metadata
         id: metadata