fix(ci): run lockfile fixer for reopened dependabot prs

* fix(ci): run lockfile fixer for reopened dependabot prs

* ci(dependabot): auto-merge safe npm updates

* docs(release): clarify branch migration and defaults

Author: oleg-koval

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,41 @@
+name: Dependabot Auto Merge
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: dependabot-auto-merge-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  enable-auto-merge:
+    if: >
+      github.event.pull_request.user.login == 'dependabot[bot]' &&
+      github.event.pull_request.head.repo.full_name == github.repository &&
+      !github.event.pull_request.draft
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable auto-merge for safe npm updates
+        if: >
+          steps.metadata.outputs.package-ecosystem == 'npm_and_yarn' &&
+          steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: gh pr merge --auto --merge "$PR_URL"

.github/workflows/dependabot-lockfile-fixer.yml

@@ -19,7 +19,7 @@ concurrency:
 jobs:
   fix-lockfiles:
     if: >
-      github.actor == 'dependabot[bot]' &&
+      github.event.pull_request.user.login == 'dependabot[bot]' &&
       github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
 

readme.md

@@ -95,6 +95,11 @@ For this repository itself, stable releases come from `main` and prereleases com
 
 ## Usage
 
+<p>
+  <strong style="color:#b91c1c;">Migration notice:</strong>
+  this preset does not hardcode consumer release branches. `main` is the documented default, but if your repository still releases from `master` or another branch, set `branches` explicitly in your repo-local semantic-release config.
+</p>
+
 Example `.releaserc.yaml`:
 
 ```yaml
@@ -108,6 +113,17 @@ debug: false
 
 If your repository releases from a different branch, set `branches` explicitly in your repo-local config.
 
+Example migration from `master`:
+
+```yaml
+branches:
+  - master
+extends: "semantic-release-npm-github-publish"
+ci: false
+dryRun: false
+debug: false
+```
+
 ## When To Use This Preset
 
 Use this package when you want:
@@ -124,7 +140,9 @@ Use repo-local plugin composition instead when your team wants different plugins
 - Consumer-facing examples now use `main`.
 - Repository automation publishes stable releases from `main` and prereleases from `beta`.
 - The repository default branch is `main`, and all badges and examples now follow that.
+- The shared preset does not hardcode release branches for consumers; set `branches` in your repo-local config when you do not release from `main`.
 - Dependabot PRs can auto-refresh `package-lock.json` through the dedicated lockfile-fixer workflow.
+- Dependabot npm patch updates can enable GitHub auto-merge after required checks pass.
 - The old README wording that inverted `fix` and `feat` was documentation drift. The actual release behavior has been corrected and is now covered by tests.
 
 ## Contributing