diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f0a589995c..cbd25937cd 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,6 +11,7 @@ updates:
     labels:
       - "dependabot"
       - "javascript"
+      - "type::security"
 
   ## Go mod
 
@@ -19,18 +20,18 @@ updates:
     schedule:
       interval: "daily"
     labels:
-      - "@actions/safe-to-test"
       - "dependabot"
       - "go"
+      - "type::security"
 
   - package-ecosystem: "gomod"
     directory: "/kurl_proxy"
     schedule:
       interval: "daily"
     labels:
-      - "@actions/safe-to-test"
       - "dependabot"
       - "go"
+      - "type::security"
 
   ## GitHub Actions
 
@@ -39,35 +40,6 @@ updates:
     schedule:
       interval: "weekly"
     labels:
-      - "@actions/safe-to-test"
       - "dependabot"
       - "github-actions"
-
-  ## Dockerfiles
-
-  - package-ecosystem: "docker"
-    directory: "/deploy"
-    schedule:
-      interval: "weekly"
-    labels:
-      - "@actions/safe-to-test"
-      - "dependabot"
-      - "docker"
-
-  - package-ecosystem: "docker"
-    directory: "/kurl_proxy/deploy"
-    schedule:
-      interval: "weekly"
-    labels:
-      - "@actions/safe-to-test"
-      - "dependabot"
-      - "docker"
-
-  - package-ecosystem: "docker"
-    directory: "/migrations/deploy"
-    schedule:
-      interval: "weekly"
-    labels:
-      - "@actions/safe-to-test"
-      - "dependabot"
-      - "docker"
+      - "type::security"
diff --git a/.github/workflows/dependabot-prs-manager.yaml b/.github/workflows/dependabot-prs-manager.yaml
new file mode 100644
index 0000000000..79df352bce
--- /dev/null
+++ b/.github/workflows/dependabot-prs-manager.yaml
@@ -0,0 +1,63 @@
+name: Dependabot PRs Manager
+
+on:
+  # TODO NOW: remove pull_request and uncomment schedule
+  pull_request:
+  # schedule:
+  #   - cron: "0 0 * * *"
+
+jobs:
+  list-prs:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: List Dependabot PRs
+        id: dependabot-prs
+        run: |
+          set -euo pipefail
+
+          echo "Open Dependabot PRs:"
+          gh pr list --label dependabot
+
+          echo "prs=$(gh pr list --label dependabot --json number)" >> "$GITHUB_OUTPUT"
+
+  process-prs:
+    needs: list-prs
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        pr: ${{ fromJson(needs.list-prs.outputs.prs) }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Login with CI token
+        run: gh auth login --with-token < ${{ secrets.NIGHTLY_GH_PAT }}
+
+      - name: Merge PR
+        run: |
+          set +e
+
+          gh pr checks ${{ matrix.pr.number }} --required
+
+          EXIT_CODE=$?
+          if [ $EXIT_CODE -eq 0 ]; then
+            echo "All required checks passed. Approving and merging."
+            gh pr review ${{ matrix.pr.number }} --approve --comment "LGTM :thumbsup:"
+            gh pr merge ${{ matrix.pr.number }} --auto --squash --delete-branch
+            exit 0
+          fi
+
+          echo "Some required checks failed. Ensuring required labels and re-running failed tests."
+
+          # Ensure required labels
+          gh pr edit ${{ matrix.pr.number }} --add-label "type::security"
+
+          # Re-run failed tests
+          branch=$(gh pr view ${{ matrix.pr.number }} --json headRefName -q '.headRefName')
+          run_id=$(gh run list --branch $branch --workflow build-test --limit 1 --json databaseId -q '.[0].databaseId')
+          gh run rerun $run_id --failed