ci: add grouped Dependabot config + patch-only auto-merge workflow

.github/dependabot.yml

@@ -0,0 +1,69 @@
+# Dependabot configuration for @perplexity-ai/mcp-server
+#
+# Goals:
+#   1. Burn down the backlog of open Dependabot alerts (currently 6 high /
+#      16 moderate / 1 low at time of writing) without drowning maintainers
+#      in tiny one-dep-at-a-time PRs.
+#   2. Keep patch-level updates flowing automatically via the auto-merge
+#      workflow at .github/workflows/dependabot-automerge.yml, while still
+#      requiring human review for minor and major version bumps.
+#   3. Update GitHub Actions on the same cadence so workflow runners don't
+#      silently age out.
+#
+# References:
+#   - https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+#
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "javascript"
+    commit-message:
+      prefix: "deps"
+      prefix-development: "deps-dev"
+      include: "scope"
+    groups:
+      # All non-major production updates land in a single weekly PR.
+      production-dependencies:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+          - "patch"
+      # All non-major dev updates land in a single weekly PR.
+      development-dependencies:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+          - "patch"
+      # MCP SDK churns a lot — keep it isolated so SDK bumps don't get
+      # bundled with unrelated transitive upgrades.
+      modelcontextprotocol:
+        patterns:
+          - "@modelcontextprotocol/*"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/dependabot-automerge.yml

@@ -0,0 +1,47 @@
+# Auto-merges Dependabot PRs that are PATCH-only updates and pass CI.
+#
+# Minor and major version bumps still require human review (this workflow
+# explicitly exits without merging them).
+#
+# This pairs with .github/dependabot.yml, where:
+#   - production/dev/minor+patch updates are grouped into single weekly PRs
+#   - the modelcontextprotocol group is isolated
+#   - GitHub Actions are also grouped on the same cadence
+#
+name: Dependabot auto-merge
+
+on:
+  pull_request:
+    # Use pull_request_target so the workflow runs with repo-scoped GITHUB_TOKEN
+    # permissions on PRs opened by Dependabot.
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  automerge:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: meta
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Auto-merge patch-only updates that pass CI
+        if: steps.meta.outputs.update-type == 'version-update:semver-patch'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        # --auto waits for required status checks (set by branch protection)
+        # to pass before merging. If CI fails, the PR stays open for review.
+        run: gh pr merge --auto --squash "$PR_URL"
+
+      - name: Leave minor/major bumps open for review
+        if: steps.meta.outputs.update-type != 'version-update:semver-patch'
+        run: |
+          echo "Update type '${{ steps.meta.outputs.update-type }}' requires human review."
+          echo "Skipping auto-merge."