ci(dependabot): prevent python version drift & auto-orchestrate updates (#5)

* ci: derive python version from dockerfile to prevent drift

Implement dynamic python-version extraction in CI workflow by parsing
the Dockerfile FROM instruction. This ensures the unit test environment
always matches the container runtime without manual intervention.

* ci: implement automated maintenance via dependabot automerge

Add a dedicated workflow to enable GitHub's native auto-merge feature
for Dependabot PRs. This allows dependencies that pass CI to be
merged automatically, reducing manual maintenance overhead.

* meta: synchronize weekly maintenance window and grouping

Align all Dependabot ecosystems (pip, docker, actions) to trigger
weekly on Mondays at 05:00 UTC. Enable update grouping and rebase
strategy to minimize PR noise and ensure a streamlined update cycle.

* fix: address PR review feedback for CI and automerge

- Add validation to Python version extraction in ci.yml
- Remove unused python-version job output in ci.yml
- Switch automerge trigger to pull_request_target for write permissions

Author: gildesmarais

.github/dependabot.yml

@@ -3,10 +3,13 @@ updates:
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
-      interval: "monthly"
-    open-pull-requests-limit: 1
+      interval: "weekly"
+      day: "monday"
+      time: "05:00"
+    open-pull-requests-limit: 10
+    pull-request-branch-merge-strategy: "rebase"
     groups:
-      monthly-python:
+      python-dependencies:
         patterns:
           - "*"
     commit-message:
@@ -15,10 +18,13 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "monthly"
-    open-pull-requests-limit: 1
+      interval: "weekly"
+      day: "monday"
+      time: "05:00"
+    open-pull-requests-limit: 10
+    pull-request-branch-merge-strategy: "rebase"
     groups:
-      monthly-actions:
+      actions-dependencies:
         patterns:
           - "*"
     commit-message:
@@ -27,10 +33,13 @@ updates:
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
-      interval: "monthly"
-    open-pull-requests-limit: 1
+      interval: "weekly"
+      day: "monday"
+      time: "05:00"
+    open-pull-requests-limit: 10
+    pull-request-branch-merge-strategy: "rebase"
     groups:
-      monthly-docker:
+      docker-dependencies:
         patterns:
           - "*"
     commit-message:

.github/workflows/ci.yml

@@ -17,10 +17,24 @@ jobs:
       - name: Check out repository
         uses: actions/checkout@v6
 
+      - name: Get Python version from Dockerfile
+        id: get-version
+        run: |
+          # Extract version like "3.14" from "FROM python:3.14-slim..."
+          VERSION=$(grep -m 1 "^FROM python:" Dockerfile | sed -E 's/^FROM python:([0-9]+\.[0-9]+).*/\1/')
+          
+          if [ -z "$VERSION" ]; then
+            echo "Error: Could not extract Python version from Dockerfile"
+            exit 1
+          fi
+
+          echo "Extracted version: $VERSION"
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
-          python-version: "3.12"
+          python-version: ${{ steps.get-version.outputs.version }}
           cache: "pip"
 
       - name: Install Python dependencies

.github/workflows/dependabot-automerge.yml

@@ -0,0 +1,17 @@
+name: Dependabot Automerge
+on: pull_request_target
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  automerge:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Enable automerge for Dependabot PRs
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}