Remove Dependabot auto-merge workflow

[erain]

Summary

This PR removes the auto-merge functionality for Dependabot PRs that was introduced in #1035.

Rationale

While the original intent of auto-merge was to reduce manual toil for routine dependency updates, automatic merging has proven to be risky for this repository.

The Problem

The auto-merge workflow only considered semantic versioning classifications (patch and minor updates) when deciding whether to auto-merge:

if: ${{ steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' }}

However, this is insufficient for Kubernetes-related dependencies where "minor" version bumps can introduce breaking API changes.

Real-world Example

A recent auto-merged commit (13a30c12) updated k8s.io/apiserver from 0.33.1 to 0.35.2.

This was classified as a "version-update:semver-minor" update, but:

• The jump spans two minor versions (0.33 → 0.35)
• Kubernetes Go module minor versions often contain API deprecations and behavioral changes
• Such changes require human review to assess impact on the custom metrics adapter and other components

Proposed Change

Remove the .github/workflows/dependabot-auto-merge.yaml workflow entirely. After this change:

• All Dependabot PRs will require manual review and approval
• Maintainers can properly assess the risk of each dependency update
• Safety is prioritized over automation convenience

Related

• Introduced in: Improve CI coverage and enable Dependabot auto-merge #1035
• Problematic auto-merge: 13a30c12

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[juli4n]

Thanks!