feat(.claude): add dependabot-pr-automation skill

.claude/skills/dependabot-pr-automation/SKILL.md

@@ -0,0 +1,98 @@
+---
+name: dependabot-pr-automation
+description: Reviews open Dependabot pull requests, assesses their risk level based on version bump type and CI status, approves low-risk PRs, and merges them. Use when asked to process, review, merge, or triage Dependabot PRs.
+allowed-tools:
+  - Bash
+  - Read
+  - WebFetch
+  - mcp__github__list_pull_requests
+  - mcp__github__get_pull_request
+  - mcp__github__get_pull_request_files
+  - mcp__github__get_pull_request_status
+  - mcp__github__create_pull_request_review
+  - mcp__github__merge_pull_request
+---
+
+# Dependabot PR Automation for chainloop
+
+This skill reviews open Dependabot pull requests, assesses their risk, approves safe ones, and merges them.
+
+## Repository Info
+
+| Item | Value |
+|------|-------|
+| Owner | `chainloop-dev` |
+| Repo | `chainloop` |
+
+## Step 1: List Open Dependabot PRs
+
+Use `mcp__github__list_pull_requests` to fetch open PRs:
+
+- `owner`: `chainloop-dev`
+- `repo`: `chainloop`
+- `state`: `open`
+
+Filter the results to only include PRs authored by `dependabot[bot]`. Collect each PR's number, title, head branch, and labels.
+
+If there are no open Dependabot PRs, report that and stop.
+
+## Step 2: Assess Risk for Each PR
+
+For each Dependabot PR, determine the risk level using these criteria:
+
+### 2a. Parse Version Bump from PR Title
+
+Dependabot PR titles follow the pattern: `Bump <package> from <old-version> to <new-version>`. Extract the old and new versions and classify the bump:
+
+| Bump Type | Risk Level | Criteria |
+|-----------|------------|----------|
+| **Patch** (x.x.OLD → x.x.NEW) | Low | Only the patch segment changed |
+| **Minor** (x.OLD.x → x.NEW.x) | Medium | The minor segment changed |
+| **Major** (OLD.x.x → NEW.x.x) | High | The major segment changed |
+
+### 2b. Check CI / Check Status
+
+Use `mcp__github__get_pull_request_status` to retrieve the CI check status for each PR. A PR is considered CI-passing only if all checks have concluded with a success state.
+
+### 2c. Inspect the Diff
+
+Use `mcp__github__get_pull_request_files` to review the files changed. Flag any PR that modifies unexpected files beyond dependency manifests (`go.mod`, `go.sum`, `package.json`, `yarn.lock`, `Dockerfile*`, `.github/workflows/*`).
+
+### 2d. Identify Dependency Scope
+
+- **Development-only** (test frameworks, linters, dev tools) → Lower risk
+- **Production** (runtime dependencies) → Higher risk
+- **GitHub Actions** (workflow dependencies) → Typically low risk for minor/patch bumps
+
+### 2e. Final Risk Matrix
+
+| Version Bump | CI Passing | Only Manifest Files | Final Risk | Action |
+|-------------|------------|---------------------|------------|--------|
+| Patch | Yes | Yes | **Low** | Auto-approve and merge |
+| Patch | No | Yes | **Medium** | Approve but do not merge |
+| Minor | Yes | Yes | **Medium** | Auto-approve and merge |
+| Minor | Yes | No | **High** | Do not approve |
+| Minor | No | * | **High** | Do not approve |
+| Major | * | * | **High** | Do not approve |
+
+GitHub Actions patch and minor bumps with passing CI → **Low** risk.
+
+## Step 3: Approve Eligible PRs
+
+Use `mcp__github__create_pull_request_review` with `event: APPROVE` for eligible PRs.
+
+## Step 4: Merge Approved PRs
+
+Use `mcp__github__merge_pull_request` with `merge_method: squash`. If the merge fails, note the failure and continue.
+
+## Step 5: Report Results
+
+After processing all PRs, produce a summary table showing merged, approved-pending, flagged, and errored PRs.
+
+## Important Notes
+
+- Never force-merge.
+- Respect branch protection rules.
+- Go module PRs may need `go mod tidy` after merge.
+- Process oldest-first to avoid dependency tree conflicts.
+- Security-labeled PRs should be prioritized; treat security patch/minor bumps as Low risk if CI passes.