Update dependabot actions

.github/workflows/dependabot-force-rebase.yml

@@ -11,4 +11,4 @@ jobs:
       contents: write        # 👈 allows pushing commits to branches
       pull-requests: write   # 👈 allows updating PR metadata
     steps:
-      - uses: peter-evans/rebase@v3
+      - uses: peter-evans/rebase@v2

.github/workflows/pr-auto-approve.yml

@@ -0,0 +1,35 @@
+name: Dependabot Auto Approve
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+permissions:
+  pull-requests: write
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+jobs:
+  auto-approve:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]' || github.actor == 'nev21'
+    steps:
+      - name: Wait for status checks
+        uses: lewagon/wait-on-check-action@v1.4.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          wait-interval: 30
+          running-workflow-name: 'auto-approve'
+          allowed-conclusions: success,skipped,neutral
+
+      - name: Approve PR
+        if: success()
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/sync-rush-versions.yml

@@ -0,0 +1,75 @@
+name: Sync Rush.json Version
+on:
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - "**/package.json"
+      - "rush.json"
+      - "common-versions.json"
+
+jobs:
+  detect:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    outputs:
+      rush_changed: ${{ steps.detect.outputs.rush_changed }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Detect Rush bump
+        id: detect
+        run: |
+          # Look for @microsoft/rush in the diff
+          if git diff -U0 HEAD~1 -- **/package.json | grep '"@microsoft/rush"'; then
+            echo "rush_changed=true" >> $GITHUB_OUTPUT
+          else
+            echo "rush_changed=false" >> $GITHUB_OUTPUT
+          fi
+
+  update:
+    runs-on: ubuntu-latest
+    needs: detect
+    if: needs.detect.outputs.rush_changed == 'true'
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20
+
+      - name: Install Rush
+        run: npm install -g @microsoft/rush
+
+      - name: Sync rush.json
+        run: |
+          echo "Syncing rush.json with Dependabot bump..."
+          # Extract new Rush version from package.json
+          NEW_VERSION=$(jq -r '.devDependencies["@microsoft/rush"] // .dependencies["@microsoft/rush"]' package.json)
+
+          # Update rush.json version field
+          jq ".rushVersion = \"$NEW_VERSION\"" rush.json > rush.tmp.json
+          mv rush.tmp.json rush.json
+
+      - name: Run rush update
+        run: |
+          rush update --full
+
+      - name: Commit changes
+        run: |
+          git config --global user.name "dependabot-sync[bot]"
+          git config --global user.email "dependabot-sync[bot]@users.noreply.github.com"
+          git add rush.json || true
+          git add common-versions.json || true
+          git add pnpm-lock.yaml || true
+          git add yarn.lock || true
+          git add package-lock.json || true
+          if git diff --staged --quiet; then
+            echo "No changes to commit."
+          else
+            git commit -m "chore: sync rush.json and regenerate lockfiles"
+            git push --force-with-lease
+          fi