🤖 Generated by the Daily AI Engineer
Problem
The 🔀 Enable Auto-Merge workflow's arming step fails hard on any PR that modifies a file under .github/workflows/:
GraphQL: Pull request refusing to allow a GitHub App to create or update workflow `.github/workflows/ci.yaml` without `workflows` permission (enablePullRequestAutoMerge)
Live case: platform#2584 (touches ci.yaml) — the App approval succeeds, then enablePullRequestAutoMerge is refused and the step exits 1, leaving a permanently red auto-merge check on an otherwise-green promoted PR (run 29179566420, 2026-07-12). Any workflow-touching PR in any consumer repo hits this.
Proposed direction
Two complementary fixes at the root cause:
- Request
permission-workflows: write in the create-github-app-token mint used by this workflow (the installation already carries workflows:write org-wide), so arming succeeds on workflow-touching PRs.
- Degrade gracefully as the existing self-approval carve-out does: if arming is still refused with the
without \workflows` permission` error, emit a warning and exit 0 (the PR simply isn't auto-armed; a trusted human merges manually) instead of failing the check.
Rough size
Small — one token-mint input + one error-branch in the arming step of .github/workflows/enable-auto-merge.yaml. Should be tested both states (workflow-touching PR and normal PR) per the feature-flag/both-states discipline.
Problem
The
🔀 Enable Auto-Mergeworkflow's arming step fails hard on any PR that modifies a file under.github/workflows/:Live case: platform#2584 (touches
ci.yaml) — the App approval succeeds, thenenablePullRequestAutoMergeis refused and the step exits 1, leaving a permanently redauto-mergecheck on an otherwise-green promoted PR (run 29179566420, 2026-07-12). Any workflow-touching PR in any consumer repo hits this.Proposed direction
Two complementary fixes at the root cause:
permission-workflows: writein thecreate-github-app-tokenmint used by this workflow (the installation already carries workflows:write org-wide), so arming succeeds on workflow-touching PRs.without \workflows` permission` error, emit a warning and exit 0 (the PR simply isn't auto-armed; a trusted human merges manually) instead of failing the check.Rough size
Small — one token-mint input + one error-branch in the arming step of
.github/workflows/enable-auto-merge.yaml. Should be tested both states (workflow-touching PR and normal PR) per the feature-flag/both-states discipline.