UploadShied/docs/auto-merge.md

Auto-merge & Dependabot: repository settings

This project enables automated dependency updates (Dependabot) and a workflow that will enable GitHub auto-merge for Dependabot security PRs. To ensure auto-merge works correctly, the repository must be configured as follows:

• Allow auto-merge: enable Allow auto-merge in the repository settings (Settings → General → Merge button → Allow auto-merge).
• Branch protection: configure branch protection for your main branch so that required status checks (CI) are set and required before merging. Dependabot PRs will only be merged automatically after required checks pass.
• Required checks: ensure the CI workflow .github/workflows/ci.yml is listed as a required check in your branch-protection rules (it runs PHPUnit, PHPStan and Composer Audit).
• Bot permissions: the default GITHUB_TOKEN used by workflows has permission to enable auto-merge; ensure Actions are allowed to create pull requests and manage them in repository settings if you have tightened permissions.

How to revoke or disable auto-merge

• Disable for a single PR: open the PR and click the Auto-merge button to turn it off (or remove the security label). The workflow also posts a comment when it enables auto-merge.
• Disable global auto-merge: Repository Settings → Merge button → uncheck Allow auto-merge.
• Disable the automation workflow: remove or rename .github/workflows/auto-merge-dependabot.yml to stop the automatic enabling step.
• Disable Dependabot updates: remove or rename .github/dependabot.yml or change its schedule to interval: "never".

If you want stricter control, enable protected branch rules that require review approvals before merge; auto-merge will still wait for those approvals unless allowed by your protection policy.