diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..d584054
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,37 @@
+version: 2
+registries:
+  docker-registry-eu-gcr-io:
+    type: docker-registry
+    url: https://eu.gcr.io
+    username: _json_key
+    password: "${{secrets.DOCKER_REGISTRY_EU_GCR_IO_PASSWORD}}"
+
+  github-org-private:
+    type: git
+    url: https://github.com
+    username: x-access-token
+    password: "${{secrets.GIT_HUB_ROBOT_TOKEN}}"
+
+  github-org-ruby-private:
+    type: rubygems-server
+    url: https://rubygems.pkg.github.com/gocardless
+    username: gocardless-robot-readonly
+    password: "${{secrets.GIT_HUB_ROBOT_TOKEN}}"
+
+updates:
+- package-ecosystem: bundler
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10
+  insecure-external-code-execution: allow
+  registries:
+    - github-org-private
+    - github-org-ruby-private
+- package-ecosystem: docker
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10
+  registries:
+    - docker-registry-eu-gcr-io
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
new file mode 100644
index 0000000..cafe5be
--- /dev/null
+++ b/.github/workflows/automerge.yml
@@ -0,0 +1,26 @@
+name: Dependabot Auto Merge
+on: pull_request_target
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' || (github.event.pull_request.user.login == 'dependabot[bot]' && github.actor == 'gocardless-robot') }}
+    steps:
+      - name: Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@v1.3.3
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Enable auto-merge for Dependabot PRs
+        if: |
+          steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' || steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor'
+        run: |
+          gh pr merge --auto --squash "$PR_URL"
+          gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: '${{ secrets.PUSH_REPO_TOKEN }}'