ci: automatically merge PRs of semver-compatible updates

We receive a lot of PRs from dependabot for version updates to our lockfile and Cargo.toml. Whilst it is nice that those are explicit, they require quite some work from maintainers. Often, these PRs only get queued to be merged when a maintainer is next active on a repository which is also likely at a time they want to merge other PRs.

We don't want to automatically merge all updates that are coming in because they might be breaking changes for us if they are exposed in our public API. We solve this by only merging updates that are in a semver-compatible range:

- For major >= 1 updates, only approve them if they have the same major version.
- For major == 0 updates, only approve them if they have the same minor version.

We also add a rule to automatically queue PRs from dependabot with an approval. This avoids us having to approve AND apply the `send-it` label.

Resolves #4186.
Pull-Request: #4210.

.github/mergify.yml

@@ -33,6 +33,14 @@ pull_request_rules:
     actions:
       queue:
 
+  - name: Add approved dependabot PRs to merge queue
+    conditions:
+      # All branch protection rules are implicit: https://docs.mergify.com/conditions/#about-branch-protection
+      - author=dependabot[bot]
+      - base=master
+    actions:
+      queue:
+
   - name: Remove reviews on updates after PR is queued for merging
     conditions:
       - base=master
@@ -52,6 +60,15 @@ pull_request_rules:
     actions:
       review:
 
+  - name: Approve dependabot PRs of semver-compatible updates
+    conditions:
+      - author=dependabot[bot]
+      - or:
+          - title~=bump [^\s]+ from ([1-9]+)\..+ to \1\.      # For major >= 1 versions, only approve updates with the same major version.
+          - title~=bump [^\s]+ from 0\.([\d]+)\..+ to 0\.\1\. # For major == 0 versions, only approve updates with the same minor version.
+    actions:
+      review:
+
 queue_rules:
   - name: default
     conditions: []