ci(deps): add Dependabot Manager workflow and configuration

[DariuszPorowski]

No description provided.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/create-github-app-token	bcd2ba49218906704ab6c1aa796996da409d3eb1	🟢 6.1	Details Check Score Reason Code-Review ⚠️ 2 Found 3/14 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected SAST 🟢 6 SAST tool is not run on all commits -- score normalized to 6 Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches
actions/actions/github-script	3a2844b7e9c422d3c10d287c895573f7108da1b3	🟢 7.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 21 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches
actions/dependabot/fetch-metadata	25dd0e34f4fe68f24cc83900b1fe3fe149efef98	🟢 7.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 3 dependency not pinned by hash detected -- score normalized to 3 Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected SAST 🟢 8 SAST tool is not run on all commits -- score normalized to 8

Scanned Files

• .github/workflows/__dependabot-manager.yml

[Copilot]

Pull request overview

Adds a reusable "Dependabot Manager" workflow plus a workflow-template wrapper (and matching properties file) so consumer repositories can opt into automated review of Dependabot PRs. The reusable workflow fetches Dependabot metadata, evaluates a small policy (block major updates and maintainer changes, otherwise auto-approve and enable squash auto-merge, and label security updates), authenticated via a GitHub App token. The template is also registered in .github/sync.yml so it gets propagated to other repos.

Changes:

• New reusable workflow .github/workflows/__dependabot-manager.yml implementing the auto-approve / auto-merge / security-label policy via dependabot/fetch-metadata and actions/github-script.
• New caller template workflow-templates/dependabot-manager.yml (and properties JSON) gated to dependabot[bot] on pull_request_target.
• .github/sync.yml updated to sync the new template into downstream repos.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/__dependabot-manager.yml	Reusable workflow with policy logic, App-token auth, and gh CLI actions for approve/merge/label.
workflow-templates/dependabot-manager.yml	Caller template invoking the reusable workflow on Dependabot PRs.
workflow-templates/dependabot-manager.properties.json	Metadata (name, description, icon, category) for the workflow-template chooser.
.github/sync.yml	Registers the new template for sync to downstream repos.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.