My team is trying to set up dependabot auto merge. We have auto approve working using the github token and granted PR write permissions but the same does not work for auto merge. Is there a way to get auto merge working without a PAT? Setting up a PAT for each repo in our Org isn't feasible.

This question isn't really about fetch-metadata, but rather the overall Dependabot tokens, and the current behavior is already explained in detail here:

• dependabot/dependabot-core#1973

Is there a way to get auto merge working without a PAT?

For now, you need a PAT.

Setting up a PAT for each repo in our Org isn't feasible.

Yeah, that's painful. I don't think there's currently a way to set an org-level PAT, but I'm not fully sure TBH. I suggest open a discussion in https://github.com/orgs/community/discussions/categories/code-security