Skip to content

Enable Auto-Merge fails on PRs that modify workflow files (App token lacks workflows permission) #559

Description

@devantler

🤖 Generated by the Daily AI Engineer

Problem

The 🔀 Enable Auto-Merge workflow's arming step fails hard on any PR that modifies a file under .github/workflows/:

GraphQL: Pull request refusing to allow a GitHub App to create or update workflow `.github/workflows/ci.yaml` without `workflows` permission (enablePullRequestAutoMerge)

Live case: platform#2584 (touches ci.yaml) — the App approval succeeds, then enablePullRequestAutoMerge is refused and the step exits 1, leaving a permanently red auto-merge check on an otherwise-green promoted PR (run 29179566420, 2026-07-12). Any workflow-touching PR in any consumer repo hits this.

Proposed direction

Two complementary fixes at the root cause:

  1. Request permission-workflows: write in the create-github-app-token mint used by this workflow (the installation already carries workflows:write org-wide), so arming succeeds on workflow-touching PRs.
  2. Degrade gracefully as the existing self-approval carve-out does: if arming is still refused with the without \workflows` permission` error, emit a warning and exit 0 (the PR simply isn't auto-armed; a trusted human merges manually) instead of failing the check.

Rough size

Small — one token-mint input + one error-branch in the arming step of .github/workflows/enable-auto-merge.yaml. Should be tested both states (workflow-touching PR and normal PR) per the feature-flag/both-states discipline.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions