diff --git a/.github/workflows/approve-and-merge.yaml b/.github/workflows/approve-and-merge.yaml
index cb186933..a866c3ab 100644
--- a/.github/workflows/approve-and-merge.yaml
+++ b/.github/workflows/approve-and-merge.yaml
@@ -48,19 +48,40 @@ jobs:
           else
             echo "Label auto-approved already exists. Skipping creation."
           fi
-          echo "Fetching open Dependabot PRs older than 3 days..."
 
-          # Get PRs by dependabot, filter by age
-          gh pr list --repo "$GITHUB_REPOSITORY" --author app/dependabot --state open --json number,createdAt,title --jq '.[] | select((.createdAt | fromdateiso8601) < (now - 259200))' | jq -c '.' | while IFS= read -r pr; do
+          echo "Fetching open Dependabot PRs older than 3 days and newer than 30 days ..."
+
+          gh pr list --repo "$GITHUB_REPOSITORY" --author app/dependabot --state open --json number,createdAt,title,labels,headRefName --jq '.[] | select((.createdAt | fromdateiso8601) < (now - 259200))' | jq -c '.' | while IFS= read -r pr; do
             number=$(echo "$pr" | jq -r '.number')
             title=$(echo "$pr" | jq -r '.title')
+            labels=$(echo "$pr" | jq -r '[.labels[].name] | join(",")')
+            branch=$(echo "$pr" | jq -r '.headRefName')
 
             echo "👉 Processing PR #$number: $title"
 
-            #gh pr comment "$number" --repo "$GITHUB_REPOSITORY" --body "@dependabot rebase"
+            if echo "$labels" | grep -q "auto-approved"; then
+              mergeable_state=$(gh pr view "$number" --repo "$GITHUB_REPOSITORY" --json mergeStateStatus --jq '.mergeStateStatus')
+              if [ "$mergeable_state" = "DIRTY" ]; then
+                echo "❌ Skipping PR #$number: merge conflicts detected"
+                continue
+              else
+                echo "✅ PR #$number is up to date."
+              fi
+            fi
+
+            echo "🔍 Checking CI status for PR #$number..."
+            commit_sha=$(gh pr view "$number" --repo "$GITHUB_REPOSITORY" --json headRefOid --jq '.headRefOid')
+
+            checks_state=$(gh api repos/$GITHUB_REPOSITORY/commits/$commit_sha/check-runs --jq '[.check_runs[].conclusion] | unique | join(",")')
+
+            if echo "$checks_state" | grep -Eiq 'failure|timed_out|cancelled|action_required'; then
+              echo "❌ Skipping PR #$number: one or more checks failed ($checks_state)"
+              continue
+            fi
+
+            echo "🚀 Approving and merging PR #$number"
             gh pr review "$number" --repo "$GITHUB_REPOSITORY" --approve
             gh pr merge "$number" --repo "$GITHUB_REPOSITORY" --squash --auto
             gh pr edit "$number" --repo "$GITHUB_REPOSITORY" --add-label auto-approved
-
             echo "✅ Done with PR #$number"
           done
diff --git a/README.MD b/README.MD
index 745337ba..1edee25d 100644
--- a/README.MD
+++ b/README.MD
@@ -4,13 +4,15 @@ This repository hosts [Reusable GitHub Workflows][re-usable-github-workflows].
 
 The repository includes:
 
-- [`add-to-project`](.github/workflows/add-to-project.yaml) workflow: when a new
-  issue or PR is added to a repository, it is also added - by default - to the
+- [`add-to-project`](.github/workflows/add-to-project.yaml): when a new issue or
+  PR is added to a repository, it is also added - by default - to the
   [SynchroGuard platform project](https://github.com/orgs/zaphiro-technologies/projects/2)
   or to the project defined by `project-url` input parameter with status `new`.
   When a new PR is added, the PR is assigned to its creator. When a PR is set to
   ready, reviewers from `reviewers-team` input parameter (default value
   `backend-devs`) or `reviewers-individuals` (comma separated) are added.
+- [`approve-and-merge`](.github/workflows/approve-and-merge.yaml): periodically
+  check for dependabot PRs, if their checks pass, approve and merge the PR.
 - [`manage-issues`](.github/workflows/manage-issues.yaml) workflow: automated
   issue and PR management including stale issue detection and priority
   synchronization. The workflow includes two main jobs:
@@ -29,30 +31,33 @@ The repository includes:
 - [`check-pr`](.github/workflows/check-pr.yaml) workflow: when a new PR is added
   to a repository or any change occurs to the PR, the PR is validated to be sure
   that labels are valid.
-- [`clean-up-storage`](.github/workflows/clean-up-storage.yaml) workflow: when a
-  new PR is closed, related cache and artifact are deleted.
-- [`deployment`](.github/workflows/deployment.yaml) workflow: commit a container
-  image tag in the k8s-deployments repository
-- [`markdown`](.github/workflows/markdown.yaml) workflow: lint all Markdown
-  documents and checks that the links referenced in the documents are valid. If
-  `skip-spell-check: false`, also, a spell checker is executed.
-- [`release-notes`](.github/workflows/release-notes.yaml) workflow:
-  automatically updates release notes using PR titles and labels.
-- [`golang`](.github/workflows/golang.yaml) workflow: lint, test and benchmark
-  Go Applications. The workflow includes authentication to GitHub Container
-  Registry in case tests rely on private images. To retrieve the images, you
-  need also to set
-  [`read permission`](https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package)
-  for the repository on the package. The workflow also scans for
+- [`clean-up-docker`](.github/workflows/clean-up-docker.yaml): when a PR is
+  closed, related docker images and untagged ones are deleted
+- [`clean-up-storage`](.github/workflows/clean-up-storage.yaml): when a new PR
+  is closed, related cache and artifact are deleted.
+- [`deployment`](.github/workflows/deployment.yaml): commit a container image
+  tag in the k8s-deployments repository.
+- [`docker`](.github/workflows/docker.yaml): build and push Docker images and
+  scans for vulnerabilities.
+- [`golang`](.github/workflows/golang.yaml): lint, test and benchmark Go
+  Applications. The workflow includes authentication to GitHub Container
+  Registry in case tests rely on private images. The workflow also scans for
   vulnerabilities.
-- [`docker`](.github/workflows/docker.yaml) workflow: build and push Docker
-  images and scans for vulnerabilities.
-- [`clean-up-docker`](.github/workflows/clean-up-docker.yaml) workflow: when a
-  PR is closed, related docker images and untagged ones are deleted
-- [`licensing`](.github/workflows/license.yaml) workflow: add licensing
-  information in file headers and check dependencies licensing compatibility.
-- [`new-release`](.github/workflows/new-release.yaml) workflow: create a new
-  release (leveraging makefile to update packaging file version).
+- [`license`](.github/workflows/license.yaml): add licensing information in file
+  headers and check dependencies licensing compatibility.
+- [`lint`](.github/workflows/markdown.yaml): lint all Markdown and Yaml files.
+  In case of markdown documents, checks that the links referenced in the
+  documents are valid. If `skip-spell-check: false`, also, a spell checker is
+  executed.
+- [`new-release`](.github/workflows/new-release.yaml): create a new release
+  (leveraging makefile to update packaging file version).
+- [`python`](.github/workflows/python.yaml): lint, test python applications. The
+  workflow includes authentication to GitHub Container Registry in case tests
+  rely on private images. The workflow also scans for vulnerabilities.
+- [`release-notes`](.github/workflows/release-notes.yaml): automatically updates
+  release notes using PR titles and labels.
+- [`trivy-cache-update`](.github/workflows/trivy-cache-update.yaml): update
+  trivy cache image.
 
 Some of these workflows are configured as [starter workflows][starter-workflows]
 in the [`.github`][.github] repository, so that you can add them at any time
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 9a671b75..abb0a73c 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -55,6 +55,7 @@
 ### Bug Fixes
 
 - Temporary fix for dvc boto3 import issue (PR #228 by @chicco785)
+- approve-and-merge: fix continuous approval loops (PR #215 by @chicco785)
 - deployment: fix app token scope (PR #209 by @cosimomeli)
 - release notes: fix not progressive releases and detached head commits (PR #206
   by @chicco785)
@@ -88,10 +89,10 @@
 
 ### Dependencies
 
+- Bump EndBug/add-and-commit from 9 to 10 (PR #264 by @dependabot[bot])
 - Bump dawidd6/action-download-artifact from 18 to 19 (PR #265 by
   @dependabot[bot])
 - Bump actions/create-github-app-token from 2 to 3 (PR #261 by @dependabot[bot])
-- Bump EndBug/add-and-commit from 9 to 10 (PR #264 by @dependabot[bot])
 - Bump dorny/paths-filter from 3 to 4 (PR #259 by @dependabot[bot])
 - Bump docker/login-action from 3 to 4 (PR #262 by @dependabot[bot])
 - Bump mikepenz/action-gh-release from 1 to 2 (PR #260 by @dependabot[bot])