We get a lot of dependabot PRs that are to test-only dependencies (robolectric, mockito, junit) where we can't easily configure our current file-based rules for publishable since gradle files often do need publishing/CHANGELOGging, but where needing to override the publishable check adds annoying friction in getting them landed.

We should add a new set of rules specifically for dependabot PRs that allow certain dependencies by name. There's essentially no chance of someone accidentally creating a PR that would look like a dependabot PR, so false negatives shouldn't be an issue.