Address PR review feedback

Copilot · thomasturrell · Copilot · commit 0e73cd77d4f2 · 2026-01-21T19:14:08.000Z
- Add dependabot/fetch-metadata to GitHub Actions auto-merge group
- Change auto-merge workflow trigger to pull_request_review to run after approval
- Ensure auto-merge only runs when review is approved

Co-authored-by: thomasturrell &lt;1552612+thomasturrell@users.noreply.github.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -56,4 +56,5 @@ updates:
           - "actions/setup-java"
           - "actions/stale"
           - "advanced-security/maven-dependency-submission-action"
+          - "dependabot/fetch-metadata"
           - "github/codeql-action"
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -1,6 +1,6 @@
 name: Dependabot Auto-Merge
 
-on: pull_request
+on: pull_request_review
 
 permissions:
   contents: write
@@ -9,7 +9,7 @@ permissions:
 jobs:
   auto-merge:
     runs-on: ubuntu-latest
-    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    if: github.event.review.state == 'approved' && github.event.pull_request.user.login == 'dependabot[bot]'
     steps:
       - name: Get Dependabot metadata
         id: metadata
