From 58a0de5f3d84e354b797a6a2efbc8a8ac55288e7 Mon Sep 17 00:00:00 2001
From: Albert Mavashev <amavashev@k2n.io>
Date: Sun, 7 Jun 2026 13:25:10 -0400
Subject: [PATCH] ci(automerge): use AUTOMERGE_PAT with GITHUB_TOKEN fallback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The default GITHUB_TOKEN cannot enable auto-merge on PRs that modify
.github/workflows/** (github-actions ecosystem bumps), so those Dependabot
PRs stall and need a manual/admin merge.

Allow an optional AUTOMERGE_PAT secret (repo + workflow scope) to be used
for `gh pr merge --auto`, falling back to GITHUB_TOKEN when the secret is
not set — so behavior is unchanged until the secret is added.
---
 .github/workflows/dependabot-auto-merge.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 6ad171c..89d9f50 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -23,4 +23,8 @@ jobs:
         run: gh pr merge --auto --merge "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # AUTOMERGE_PAT (repo+workflow scope) lets auto-merge work on PRs that
+          # touch .github/workflows/** (e.g. github-actions bumps); the default
+          # GITHUB_TOKEN is forbidden by GitHub from doing so. Falls back to
+          # GITHUB_TOKEN when the secret is absent (unchanged behavior).
+          GH_TOKEN: ${{ secrets.AUTOMERGE_PAT || secrets.GITHUB_TOKEN }}