diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
new file mode 100644
index 0000000..8e88fbd
--- /dev/null
+++ b/.github/workflows/automerge.yml
@@ -0,0 +1,43 @@
+# This doesn't work on forked repos per the discussion in
+# https://github.com/pascalgn/automerge-action/issues/46 so don't attempt to
+# add people other than dependabot to the if field below.
+name: automerge
+on:
+  pull_request_target:
+    types:
+      - labeled
+jobs:
+  approve-and-merge-dependabot:
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'dependencies')
+    runs-on: ubuntu-latest
+    permissions:
+      # wait-on-check requires check read
+      checks: read
+      # enable-automerge is a graphql query, not REST, so isn't documented,
+      # except in a mention in
+      # https://github.blog/changelog/2021-02-04-pull-request-auto-merge-is-now-generally-available/
+      # which says "can only be enabled by users with permissino to merge"; the
+      # REST documentation says you need contents: write to perform a merge.
+      # https://github.community/t/what-permission-does-a-github-action-need-to-call-graphql-enablepullrequestautomerge/197708 says this is it
+      contents: write
+      # auto-approve-action requires write on actions
+      actions: write
+    steps:
+
+    # Enable auto-merge *before* issuing an approval.
+    - name: Enable Github Automerge
+      uses: alexwilson/enable-github-automerge-action@main
+      with:
+        github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+    - uses: lewagon/wait-on-check-action@v1.1.1
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+        check-name: test
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        wait-interval: 60
+
+    # We "trust" dependabot updates (this still requires all other checks to pass!)
+    - uses: hmarr/auto-approve-action@5d04a5ca6da9aeb8ca9f31a5239b96fc3e003029
+      with:
+        github-token: "${{ secrets.GITHUB_TOKEN }}"