Define Dependabot PR Workflow

[scott45]

Set a clear process for handling Dependabot PRs, including how they're reviewed, approved, and whether they should auto-merge.

Acceptance Criteria

• Define auto-merge rules and criteria

• Document reviewer expectations

• How could we use pre-hook commits to ease the burden of managing the dependabot PRs?

• Link to Dependabot config for transparency

[scott45]

• Instead of handling one vulnerability in multiple repos, handle it in one and scale out the solution

• Quarterly (periodic) security audit??

• Reduce on the frequency of dependabot PRs to weekly or even monthly

• Inquire how adopters would like to handle this

• Polish up branch protection rules script