feat: add CI, dependabot config, and auto-merge workflow

[diberry]

Summary

Add CI, dependabot configuration, and auto-merge workflow to reduce manual dependency maintenance.

Changes

.github/dependabot.yml (updated)

• Removed 18 entries pointing to directories that no longer exist
• Added 8 new entries for current sub-packages (quickstarts/ai-agents, quickstarts/ai-search, quickstarts/azure-sql, quickstarts/key-vault, quickstarts/openai, quickstarts/storage, sdk/chained-credentials, ts-boilerplate-esm)
• Added github-actions ecosystem coverage
• Switched from daily to weekly (Monday) schedule
• Added dependency groups to reduce PR noise:
  • dev-dependencies — dev deps grouped for minor/patch
  • azure-sdk — @azure/* and azure-* packages
  • types — @types/* packages
  • eslint-tooling — eslint, typescript-eslint, prettier

.github/workflows/ci.yml (new)

• Matrix install-check across 14 key sub-packages
• Runs npm ci (or npm install if no lockfile)
• Runs build and lint scripts where present (non-blocking)

.github/workflows/dependabot-auto-merge.yml (new)

• Auto-merges patch and minor dependabot PRs (squash + delete-branch)
• Blocks major version bumps for human review
• Guarded by github.actor == 'dependabot[bot]'
• Uses dependabot/fetch-metadata@v2 for semver classification

Open Dependabot PR Audit (35 PRs)

10 patch/minor (safe to auto-merge once CI passes):

• Bump typescript-eslint from 8.24.0 to 8.46.2 in /azure-upload-file-to-storage/app #1632 typescript-eslint 8.24→8.46, Bump eslint from 9.20.1 to 9.38.0 in /azure-upload-file-to-storage/app #1622/Bump eslint from 9.20.1 to 9.38.0 in /azure-upload-file-to-storage/api #1615 eslint 9.20→9.38
• Bump typescript from 5.7.3 to 5.9.3 in /azure-upload-file-to-storage/api #1554 typescript 5.7→5.9, Bump @azure/functions from 4.6.1 to 4.8.0 in /azure-upload-file-to-storage/api #1484 @azure/functions 4.6→4.8
• Bump prettier from 3.5.1 to 3.6.2 in /azure-upload-file-to-storage/api #1296/Bump prettier from 3.5.1 to 3.6.2 in /azure-upload-file-to-storage/app #1294 prettier 3.5→3.6
• Bump @azure/functions from 4.0.0-alpha.9 to 4.11.0 in /api-inmemory #1703/Bump @azure/functions from 4.0.0-alpha.9 to 4.8.0 in /api-functions-v4-azure-resource-management #1483 @azure/functions alpha→stable (same major)
• Bump azure-functions-core-tools from 4.0.5095 to 4.6.0 in /api-inmemory #1690 azure-functions-core-tools 4.x

25 major (need human review):

• openai 4→6 (Bump openai from 4.104.0 to 6.17.0 in /quickstarts/azure-openai-assistants/ts #1723, Bump openai from 4.104.0 to 6.17.0 in /quickstarts/azure-openai-assistants/js #1721) — breaking API changes
• express 4→5 (Bump express from 4.21.0 to 5.2.1 in /api-expressjs-vm #1671) — middleware/routing changes
• vite 4→7 (Bump vite from 4.5.14 to 7.1.12 in /app-react-vite #1635) — config format changes
• @types/node 18/20/22→24/25 (Bump @types/node from 20.19.30 to 25.2.0 in /quickstarts/service-bus/ts #1728, Bump @types/node from 20.19.30 to 25.2.0 in /quickstarts/azure-openai-assistants/ts #1727, Bump @types/node from 18.19.130 to 25.2.0 in /api-inmemory #1726, Bump @types/node from 22.13.4 to 24.9.2 in /azure-upload-file-to-storage/api #1642, Bump @types/node from 18.15.10 to 24.9.2 in /api-functions-v4-azure-resource-management #1640)
• typescript 4→5 (Bump typescript from 4.9.5 to 5.9.3 in /api-inmemory #1558, Bump typescript from 4.9.5 to 5.9.3 in /api-functions-v4-azure-resource-management #1555, Bump typescript from 4.9.5 to 5.9.3 in /app-react-vite #1549)
• dotenv 16→17 (Bump dotenv from 16.6.1 to 17.2.3 in /quickstarts/service-bus/ts #1548, Bump dotenv from 16.6.1 to 17.2.3 in /quickstarts/azure-openai-assistants/ts #1541, Bump dotenv from 16.6.1 to 17.2.3 in /quickstarts/azure-openai-assistants/js #1540)
• eslint 8→9 (Bump eslint from 8.57.1 to 9.39.2 in /quickstarts/service-bus/ts #1688), @typescript-eslint/parser 5→8 (Bump @typescript-eslint/parser from 5.62.0 to 8.54.0 in /quickstarts/service-bus/ts #1720)
• styled-components 5→6 (Bump styled-components from 5.3.11 to 6.1.19 in /app-react-vite #1263), pm2 5→6 (Bump pm2 from 5.4.2 to 6.0.14 in /api-expressjs-vm #1669)
• @azure/identity 3→4 (Bump @azure/identity from 3.1.3 to 4.13.0 in /api-functions-v4-azure-resource-management #1586), @azure/arm-resources 5→7 (Bump @azure/arm-resources from 5.2.0 to 7.0.0 in /api-functions-v4-azure-resource-management #1385)
• @types/react 18→19 (Bump @types/react from 18.3.26 to 19.2.2 in /app-react-vite #1581), @vitejs/plugin-react 3→5 (Bump @vitejs/plugin-react from 3.1.0 to 5.1.0 in /app-react-vite #1636)
• globals 15→16 (Bump globals from 15.15.0 to 16.4.0 in /azure-upload-file-to-storage/app #1486), react-dom major (Bump react-dom and @types/react-dom in /azure-upload-file-to-storage/app #1046)

Potential merge conflicts (multiple PRs modify same package.json):

• api-inmemory/: Bump @types/node from 18.19.130 to 25.2.0 in /api-inmemory #1726, Bump @azure/functions from 4.0.0-alpha.9 to 4.11.0 in /api-inmemory #1703, Bump azure-functions-core-tools from 4.0.5095 to 4.6.0 in /api-inmemory #1690, Bump typescript from 4.9.5 to 5.9.3 in /api-inmemory #1558
• api-functions-v4-azure-resource-management/: Bump @types/node from 18.15.10 to 24.9.2 in /api-functions-v4-azure-resource-management #1640, Bump typescript from 4.9.5 to 5.9.3 in /api-functions-v4-azure-resource-management #1555, Bump @azure/identity from 3.1.3 to 4.13.0 in /api-functions-v4-azure-resource-management #1586, Bump @azure/functions from 4.0.0-alpha.9 to 4.8.0 in /api-functions-v4-azure-resource-management #1483, Bump @azure/arm-resources from 5.2.0 to 7.0.0 in /api-functions-v4-azure-resource-management #1385
• app-react-vite/: Bump @vitejs/plugin-react from 3.1.0 to 5.1.0 in /app-react-vite #1636, Bump vite from 4.5.14 to 7.1.12 in /app-react-vite #1635, Bump typescript from 4.9.5 to 5.9.3 in /app-react-vite #1549, Bump @types/react from 18.3.26 to 19.2.2 in /app-react-vite #1581, Bump styled-components from 5.3.11 to 6.1.19 in /app-react-vite #1263
• azure-upload-file-to-storage/api: Bump @types/node from 22.13.4 to 24.9.2 in /azure-upload-file-to-storage/api #1642, Bump typescript from 5.7.3 to 5.9.3 in /azure-upload-file-to-storage/api #1554, Bump @azure/functions from 4.6.1 to 4.8.0 in /azure-upload-file-to-storage/api #1484, Bump eslint from 9.20.1 to 9.38.0 in /azure-upload-file-to-storage/api #1615, Bump prettier from 3.5.1 to 3.6.2 in /azure-upload-file-to-storage/api #1296
• quickstarts/azure-openai-assistants/ts: Bump @types/node from 20.19.30 to 25.2.0 in /quickstarts/azure-openai-assistants/ts #1727, Bump openai from 4.104.0 to 6.17.0 in /quickstarts/azure-openai-assistants/ts #1723, Bump dotenv from 16.6.1 to 17.2.3 in /quickstarts/azure-openai-assistants/ts #1541

Blockers

• Push access to Azure-Samples org required to merge this PR
• Branch protection with required status checks needed for auto-merge to function