Add Dependabot auto-merge workflow

[keysersoft]

Summary

• Adds .github/workflows/dependabot-auto-merge.yml that auto-approves and enables --auto merge on Dependabot PRs that are patch or minor in the npm or github-actions ecosystems.
• Higher-risk bumps (majors, Docker base images like node 22→25, deploy-action majors) are labelled needs-review with an explanatory comment and left for a human.
• Repo-level settings already updated separately: allow_auto_merge=true, delete_branch_on_merge=true.

Safety model

• Uses gh pr merge --auto, so the merge fires only after required CI checks pass.
• Recommended follow-up: enable branch protection on main with the existing CI jobs (Backend, Frontend) marked as required. Without it, --auto still waits for CI but does not enforce reviews.
• The 16 currently-open Dependabot PRs are not touched until a new event fires; they can be triggered manually via gh pr update-branch or by closing/reopening.

Test plan

• Merge this PR.
• Pick one open Dependabot PR (e.g. Bump the jest group across 1 directory with 2 updates #114 jest group), close-and-reopen to retrigger the workflow, and verify it gets auto-approved + auto-merged once CI is green.
• Pick one excluded PR (e.g. Bump node from 22-alpine to 25-alpine #104 node 22→25) and verify it gets the needs-review label and the explanatory comment instead.