chore(ci): fix workflow automation

.github/workflows/audit-fix.yml

@@ -26,7 +26,9 @@ jobs:
         run: npm ci
 
       - name: Run npm audit fix
-        run: npm audit fix || npm audit fix --force || true
+        run: |
+          npm audit 2>&1 > audit-report.txt || true
+          npm audit fix || npm audit fix --force || true
 
       - name: Create pull request
         env:
@@ -38,17 +40,27 @@ jobs:
             exit 0
           fi
 
-          BRANCH="npm-audit-fix-$(date +%Y%m%d)"
+          BRANCH="npm-audit-fix-$(date +%Y%m%d-%H%M%S)"
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
           git checkout -b "$BRANCH"
           git add package.json package-lock.json
           git commit -m "chore(deps): npm audit fix"
           git push origin "$BRANCH"
 
+          cat > pr-body.md << 'BODYEOF'
+          Automated security fixes via `npm audit fix`.
+
+          ## Audit Report
+
+          ```
+          BODYEOF
+          cat audit-report.txt >> pr-body.md
+          echo '```' >> pr-body.md
+
           gh pr create \
             --title "chore(deps): npm audit fix" \
-            --body "Automated security fixes via \`npm audit fix\`." \
+            --body-file pr-body.md \
             --label "audit: fix" \
             --base main \
             --head "$BRANCH"

.github/workflows/auto-approve-merge.yml

@@ -0,0 +1,31 @@
+name: Auto approve and merge
+
+on:
+  pull_request_target:
+    types:
+      - labeled
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    name: Auto approve and merge
+    runs-on: ubuntu-latest
+    if: "github.actor == 'dependabot[bot]' || (github.event.pull_request.user.login == 'github-actions[bot]' && contains(github.event.pull_request.labels.*.name, 'audit: fix'))"
+    steps:
+      - name: Approve
+        run: gh pr review "$PR_NUMBER" --approve
+        env:
+          PR_NUMBER: ${{ github.event.number }}
+          GH_TOKEN: ${{ secrets.LOCALSTACK_BOT_TOKEN }}
+      - name: Enable auto-merge
+        run: gh pr merge "$PR_NUMBER" --auto --squash
+        env:
+          PR_NUMBER: ${{ github.event.number }}
+          GH_TOKEN: ${{ secrets.LOCALSTACK_BOT_TOKEN }}

.github/workflows/pull-request-lint.yml

@@ -1,15 +1,18 @@
 name: Pull Request Lint
 
 on:
-  pull_request:
-    branches: ["main"]
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - reopened
 
 jobs:
   validate:
     name: Validate PR title
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      pull-requests: read
     steps:
       - uses: amannn/action-semantic-pull-request@v6
         env:

.github/workflows/release-auto-merge.yml

@@ -25,7 +25,7 @@ jobs:
             --json number \
             --jq '.[].number' | \
           while read -r pr; do
-            echo "Enabling auto-merge on PR #$pr"
+            echo "Approving and enabling auto-merge on PR #$pr"
             gh pr review "$pr" --approve --comment --body "Auto-approve weekly releases"
             gh pr merge "$pr" --auto --squash
           done