dependabot upgrades

Author: dpep

.github/workflows/dependabot.yml

@@ -4,24 +4,28 @@ on: pull_request
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+    if: startsWith(github.event.pull_request.user.login, 'dependabot')
     env:
       GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: checkout PR branch
         # set upstream for other gh commands
         run: gh pr checkout ${{github.event.pull_request.number}}
+      - name: Fetch PR metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
       - name: Approve PR
         run: |
           if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ]; then
             gh pr review --approve
           else
             echo "PR already approved"
           fi
-      - name: Fetch PR metadata
-        id: metadata
-        uses: dependabot/fetch-metadata@v1
       - name: Enable auto-merge
-        if: ${{steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
+        if: steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch'
         run: gh pr merge --auto --squash
+
+permissions:
+  contents: write
+  pull-requests: write