[codex] Automate Dependabot maintenance

[Pigbibi]

Summary

• add weekly Dependabot updates for Python packages and GitHub Actions
• ignore semver-major updates so major releases still require review
• add a CI-gated workflow that automatically merges eligible Dependabot PRs after checks pass

Validation

• configuration-only change; CI will validate the workflow files on this PR

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e548018b9f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Require the checked head SHA before merging

Because this workflow is driven by a successful workflow_run, a Dependabot push that lands after CI passes but before this command runs will make gh pr merge merge the PR's latest head rather than the SHA that actually passed CI. I checked the existing .github/workflows/auto_merge_codex_pr.yml workflow, which guards this by comparing headRefOid to github.event.workflow_run.head_sha and merging with --match-head-commit; the GitHub CLI manual describes that flag as requiring the PR head to match a SHA before merge. Add the same stale-run guard here so untested dependency updates cannot be auto-merged.

Useful? React with 👍 / 👎.