From a4560c8fc4329b09f75b7db5d5ac71763ac1c419 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Pallar=C3=A9s?=
 <cristian.pallares@localstack.cloud>
Date: Thu, 2 Apr 2026 11:51:30 +0200
Subject: [PATCH 1/3] chore(ci): enable automatic audit fix pull requests

---
 .github/workflows/audit-fix-auto-merge.yml | 26 +++++++++++
 .github/workflows/audit-fix.yml            | 54 ++++++++++++++++++++++
 2 files changed, 80 insertions(+)
 create mode 100644 .github/workflows/audit-fix-auto-merge.yml
 create mode 100644 .github/workflows/audit-fix.yml

diff --git a/.github/workflows/audit-fix-auto-merge.yml b/.github/workflows/audit-fix-auto-merge.yml
new file mode 100644
index 0000000..a401f38
--- /dev/null
+++ b/.github/workflows/audit-fix-auto-merge.yml
@@ -0,0 +1,26 @@
+name: Audit Fix Auto-merge
+
+on:
+  pull_request:
+    branches: ["main"]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    name: Auto-merge audit fix pull requests
+    runs-on: ubuntu-latest
+    if: "contains(github.event.pull_request.labels.*.name, 'audit: fix')"
+    steps:
+      - name: Approve
+        run: gh pr review "$PR_URL" --approve --comment --body "Auto-approve audit fix pull requests"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.LOCALSTACK_BOT_TOKEN }}
+      - name: Enable auto-merge
+        run: gh pr merge "$PR_URL" --auto --squash
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.LOCALSTACK_BOT_TOKEN }}
diff --git a/.github/workflows/audit-fix.yml b/.github/workflows/audit-fix.yml
new file mode 100644
index 0000000..b4880a1
--- /dev/null
+++ b/.github/workflows/audit-fix.yml
@@ -0,0 +1,54 @@
+name: Audit fix
+
+on:
+  schedule:
+    - cron: '0 9 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  audit-fix:
+    name: Run npm audit fix and create pull request
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run npm audit fix
+        run: npm audit fix --force
+
+      - name: Create pull request
+        env:
+          GH_TOKEN: ${{ secrets.LOCALSTACK_BOT_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+        run: |
+          if git diff --quiet; then
+            echo "No changes after npm audit fix, skipping PR creation"
+            exit 0
+          fi
+
+          BRANCH="npm-audit-fix-$(date +%Y%m%d)"
+          git config user.name "localstack-bot"
+          git config user.email "localstack-bot@users.noreply.github.com"
+          git checkout -b "$BRANCH"
+          git add package.json package-lock.json
+          git commit -m "chore(deps): npm audit fix"
+          git push origin "$BRANCH"
+
+          gh pr create \
+            --title "chore(deps): npm audit fix" \
+            --body "Automated security fixes via \`npm audit fix --force\`." \
+            --label "audit: fix" \
+            --base main \
+            --head "$BRANCH"

From f360cb3caf6af999a65984a2482c66fff4a72c79 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Pallar=C3=A9s?=
 <cristian.pallares@localstack.cloud>
Date: Thu, 2 Apr 2026 11:54:10 +0200
Subject: [PATCH 2/3] wip

---
 .github/workflows/audit-fix.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/audit-fix.yml b/.github/workflows/audit-fix.yml
index b4880a1..64bbe5e 100644
--- a/.github/workflows/audit-fix.yml
+++ b/.github/workflows/audit-fix.yml
@@ -30,7 +30,7 @@ jobs:
 
       - name: Create pull request
         env:
-          GH_TOKEN: ${{ secrets.LOCALSTACK_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_REPO: ${{ github.repository }}
         run: |
           if git diff --quiet; then
@@ -39,8 +39,8 @@ jobs:
           fi
 
           BRANCH="npm-audit-fix-$(date +%Y%m%d)"
-          git config user.name "localstack-bot"
-          git config user.email "localstack-bot@users.noreply.github.com"
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
           git checkout -b "$BRANCH"
           git add package.json package-lock.json
           git commit -m "chore(deps): npm audit fix"

From 08fea2d990aa0341fcdd1abcdb46d3281e80eacc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Pallar=C3=A9s?=
 <cristian.pallares@localstack.cloud>
Date: Thu, 2 Apr 2026 11:54:56 +0200
Subject: [PATCH 3/3] wip

---
 .github/workflows/audit-fix-auto-merge.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/audit-fix-auto-merge.yml b/.github/workflows/audit-fix-auto-merge.yml
index a401f38..ff0c8af 100644
--- a/.github/workflows/audit-fix-auto-merge.yml
+++ b/.github/workflows/audit-fix-auto-merge.yml
@@ -1,4 +1,4 @@
-name: Audit Fix Auto-merge
+name: Audit fix Auto-merge
 
 on:
   pull_request: