chore(ci): auto-merge Dependabot patch-level bumps

Add a workflow that auto-merges Dependabot PRs classified as
`version-update:semver-patch`. Minor and major updates still
require human review — those are the ones that realistically
carry breaking-change risk (Spring 4.x, Jedis 7.x, etc.).

Merge is gated by `--auto`, which waits for the repo's required
status checks (CI + CodeQL) to pass before completing. Without
the branch protection recently added on main, this wouldn't be
safe — a failing patch bump would merge immediately.

Reduces the weekly Dependabot manual-merge grind without opening
a hole for anything higher-risk than a point release.

Author: amavashev

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,23 @@
+name: Dependabot auto-merge
+
+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  automerge:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: meta
+        uses: dependabot/fetch-metadata@v2
+
+      - name: Enable auto-merge for patch updates
+        if: steps.meta.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}