Add auto approval for auto merge

The auto merge process needs two reviews to meet Project Mu branch
protection policy requirements. This change auto approves dependency
update pull requests so they can be auto merged.

Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>

.github/workflows/AutoMerger.yml

@@ -13,6 +13,27 @@ on:
   workflow_call:
 
 jobs:
+  bot_approval:
+    name: Bot Approval
+    if: |
+      github.event_name == 'pull_request_target' &&
+      github.event.action == 'opened' &&
+      (github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'uefibot')
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+
+    steps:
+      - uses: hmarr/auto-approve-action@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          review-message: "🤖 auto approved a ${{ github.event.pull_request.user.login }} PR."
+
+      - uses: hmarr/auto-approve-action@v3
+        with:
+          github-token: ${{ secrets.MU_BOT_AUTO_MERGE }}
+          review-message: "🤖 auto approved a ${{ github.event.pull_request.user.login }} PR."
+
   auto_merge:
     name: Merge
     runs-on: ubuntu-latest
@@ -29,6 +50,7 @@ jobs:
         uses: pascalgn/automerge-action@v0.15.5
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          MERGE_ERROR_FAIL: "false"     # Do not fail if an auto merge couldn't happen
           MERGE_FILTER_AUTHOR: "${{ matrix.author }}"
           MERGE_FORKS: "false"          # dependabot and uefibot come from local repo branches - forks not needed
           MERGE_LABELS: "!state:duplicate,!state:invalid,!state:needs-maintainer-feedback,!state:needs-submitter-info,!state:under-discussion,!state:wont-fix,!type:notes,!type:question"

.sync/workflows/leaf/auto-merge.yml

@@ -39,3 +39,4 @@ on:
 jobs:
   merge_check:
     uses: microsoft/mu_devops/.github/workflows/AutoMerger.yml@{{ sync_version.mu_devops }}
+    secrets: inherit