ci: auto-merge minor/patch version update by dependabot

This step is copy-pasted from the Zeebe repository.
It will run when the test-summary step has completed. If it did it means the PR can be merged.

.github/workflows/build-test.yml

@@ -147,3 +147,37 @@ jobs:
           path: ${{ github.event_path }}
           retention-days: 1
 
+  auto-merge:
+    # This workflow will auto merge a PR authored by dependabot[bot]. It runs only on open PRs ready for
+    # review.
+    #
+    # It will merge the PR only if: it is authored by dependabot[bot], is a minor or patch semantic
+    # update, and all CI checks are successful (ignoring the soon-to-be-removed Jenkins check).
+    #
+    # The workflow is divided into multiple sequential jobs to allow giving only minimal permissions to
+    # the GitHub token passed around.
+    #
+    # Once we're using the merge queue feature, I think we can simplify this workflow a lot by relying
+    # on dependabot merging PRs via its commands, as it will always wait for checks to be green before
+    # merging.
+    name: Auto-merge dependabot PRs
+    runs-on: ubuntu-latest
+    needs: [ test-summary ]
+    if: github.repository == 'camunda/zeebe' && github.actor == 'dependabot[bot]'
+    permissions:
+      checks: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v3
+      - id: metadata
+        name: Fetch dependency metadata
+        uses: dependabot/fetch-metadata@v1.3.6
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - id: approve-and-merge
+        name: Approve and merge PR
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        run: gh pr review ${{ github.event.pull_request.number }} --approve -b "bors merge"
+        env:
+          GITHUB_TOKEN: "${{secrets.GITHUB_TOKEN}}"
+