diff --git a/.github/workflows/automated-prs-manager.yaml b/.github/workflows/automated-prs-manager.yaml
new file mode 100644
index 0000000000..e27f5f5814
--- /dev/null
+++ b/.github/workflows/automated-prs-manager.yaml
@@ -0,0 +1,101 @@
+name: Automated PRs Manager
+
+on:
+  schedule:
+  - cron: "0 */6 * * *" # every 6 hours
+  workflow_dispatch: {}
+
+jobs:
+  list-prs:
+    runs-on: ubuntu-latest
+    outputs:
+      prs: ${{ steps.list-prs.outputs.prs }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: List PRs
+        id: list-prs
+        env:
+          GH_TOKEN: ${{ secrets.NIGHTLY_GH_PAT }}
+        run: |
+          set -euo pipefail
+
+          # list prs that are less than 24h old and exclude prs from forks
+
+          dependabot_prs=$(
+            gh pr list \
+              --author 'dependabot[bot]' \
+              --json url,createdAt,headRefName,headRepository,headRepositoryOwner \
+              -q '.[] | select((.createdAt | fromdateiso8601 > now - 24*60*60) and .headRepositoryOwner.login == "replicatedhq" and .headRepository.name == "kots")'
+          )
+
+          replicated_ci_kots_prs=$(
+            gh pr list \
+              --author 'replicated-ci-kots' \
+              --json url,createdAt,headRefName,headRepository,headRepositoryOwner \
+              -q '.[] | select(.createdAt | fromdateiso8601 > now - 24*60*60 and .headRepositoryOwner.login == "replicatedhq" and .headRepository.name == "kots")'
+          )
+
+          prs=$(echo "$dependabot_prs" "$replicated_ci_kots_prs" | jq -sc '. | unique')
+          echo "prs=$prs" >> "$GITHUB_OUTPUT"
+
+  process-prs:
+    needs: list-prs
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        pr: ${{ fromJson(needs.list-prs.outputs.prs) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ matrix.pr.headRefName }}
+
+      - name: Process PR
+        env:
+          GH_TOKEN: ${{ secrets.NIGHTLY_GH_PAT }}
+        run: |
+          set -euo pipefail
+
+          echo "Ensuring required labels..."
+          gh pr edit "${{ matrix.pr.url }}" --add-label "type::security"
+
+          echo "Checking status of tests..."
+          run_id=$(gh run list --branch "${{ matrix.pr.headRefName }}" --workflow build-test --limit 1 --json databaseId -q '.[0].databaseId')
+
+          # If there are still pending jobs, skip.
+
+          num_of_pending_jobs=$(gh run view "$run_id" --json jobs -q '.jobs[] | select(.conclusion == "") | .name' | wc -l)
+          if [ "$num_of_pending_jobs" -gt 0 ]; then
+            echo "There are still pending jobs. Skipping."
+            exit 0
+          fi
+
+          # If all tests and required checks passed, approve and merge.
+
+          if gh run view "$run_id" --json jobs -q '.jobs[] | select(.name == "validate-success") | .conclusion' | grep -q "success"; then
+            if gh pr checks "${{ matrix.pr.url }}" --required; then
+              echo "All tests and required checks passed. Approving and merging."
+              echo -e "LGTM :thumbsup: \n\nThis PR was automatically approved and merged by the [automated-prs-manager](https://github.com/replicatedhq/kots/blob/main/.github/workflows/automated-prs-manager.yaml) GitHub action" > body.txt
+              gh pr review --approve "${{ matrix.pr.url }}" --body-file body.txt
+              gh pr merge --auto --squash "${{ matrix.pr.url }}"
+              exit 0
+            else
+              echo "All tests passed, but some required PR checks have not. Skipping."
+              exit 0
+            fi
+          fi
+
+          # If more than half of the validate-* jobs are successful, re-run the failed jobs.
+
+          num_of_jobs=$(gh run view "$run_id" --json jobs -q '.jobs[] | select(.name | startswith("validate-")) | .name' | wc -l)
+          num_of_successful_jobs=$(gh run view "$run_id" --json jobs -q '.jobs[] | select((.name | startswith("validate-")) and (.conclusion == "success")) | .name' | wc -l)
+
+          if [ "$num_of_successful_jobs" -gt $((num_of_jobs / 2)) ]; then
+            echo "More than half of the validate-* jobs are successful. Re-running failed jobs."
+            gh run rerun "$run_id" --failed
+            exit 0
+          fi
+
+          echo "Less than half of the validate-* jobs are successful. Skipping."
diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
index f189a4e05f..387c89e352 100644
--- a/.github/workflows/build-test.yaml
+++ b/.github/workflows/build-test.yaml
@@ -3948,19 +3948,3 @@ jobs:
       - name: succeed if validate-pr-tests job succeeded
         if: needs.validate-pr-tests.result == 'success'
         run: echo "Validation succeeded"
-
-  dependabot:
-    runs-on: ubuntu-20.04
-    needs: [ validate-success ]
-    # Reference as to why this weird conditional is needed: https://github.com/actions/runner/issues/2205
-    if: always() && needs.validate-success.result == 'success' && github.event.pull_request.user.login == 'dependabot[bot]'
-    permissions:
-      contents: write
-      pull-requests: write
-    steps:
-      - name: Approve & Merge PR
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh pr review --approve ${{ github.event.pull_request.html_url }} --body "LGTM :thumbsup:"
-          gh pr merge --auto --squash ${{ github.event.pull_request.html_url }}