Auto-merge ruby-builder-bot PRs

This PR is trying to drive the conversation from
https://bugs.ruby-lang.org/issues/21804. I don't know that it's a good
idea to auto-merge on a project so critical in the Ruby supply
chain. For a foundational action that runs across thousands of CI
pipelines, the blast radius of a bad merge is huge.

Auto-merge might be reasonable, but only if it’s tightly scoped to
low-risk, mechanically generated changes with strong guardrails.

Pros:

- Faster propagation of routine updates (e.g., version lists, metadata bumps) without maintainer latency.
- Less maintainer toil on high-frequency bot PRs.
- More consistent update cadence and fewer stale PRs.

Cons:

- Single-point-of-failure risk: a compromised bot or supply-chain attack can push a bad change quickly to many downstream users.
- Reduced human review on changes that may have subtle security or correctness impacts.
- Harder to detect abuse if tests can be manipulated or if the update surface grows over time.

Author: flavorjones

.github/workflows/auto-merge-bot-prs.yml

@@ -0,0 +1,28 @@
+name: Auto-merge bot PRs
+on:
+  workflow_run:
+    workflows: ["Test this action"]
+    types: [completed]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.actor.login == 'ruby-builder-bot' &&
+      github.event.workflow_run.pull_requests[0].user.login == 'ruby-builder-bot' &&
+      github.event.workflow_run.pull_requests[0].head.repo.full_name == 'ruby-builder-bot/setup-ruby'
+    steps:
+      - name: Merge PR
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh pr merge "${{ github.event.workflow_run.pull_requests[0].number }}" \
+            --repo "${{ github.repository }}" \
+            --squash \
+            --delete-branch