Harden quarantine provisioning; enforce strict permissions and update Ansible and docs

.github/workflows/auto-merge-dependabot.yml

@@ -0,0 +1,36 @@
+name: Auto-merge Dependabot security updates
+
+on:
+  pull_request_target:
+    types: [opened, labeled, reopened, ready_for_review]
+
+jobs:
+  enable-automerge:
+    name: Enable auto-merge for Dependabot security PRs
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'dependabot-preview[bot]'
+    steps:
+      - name: Check PR labels for security
+        id: label-check
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const pr = await github.rest.pulls.get({ owner: context.repo.owner, repo: context.repo.repo, pull_number: context.payload.pull_request.number });
+            const labels = pr.data.labels.map(l => l.name.toLowerCase());
+            const isSecurity = labels.includes('security') || labels.includes('dependabot-security') || pr.data.body && /security/i.test(pr.data.body);
+            return { isSecurity };
+
+      - name: Enable GitHub auto-merge on PR
+        if: steps.label-check.outputs.isSecurity == 'true'
+        uses: peter-evans/enable-pull-request-automerge@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          pull-request-number: ${{ github.event.pull_request.number }}
+          merge-method: squash
+
+      - name: Comment when auto-merge enabled
+        if: steps.label-check.outputs.isSecurity == 'true'
+        uses: actions/github-script@v6
+        with:
+          script: |
+            await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.payload.pull_request.number, body: 'Auto-merge enabled for this Dependabot security update. Merge will occur automatically once required checks pass.' });