fix: remove GH_AW_CI_TRIGGER_TOKEN; re-trigger CI via PR_BOT instead

- Remove github-token-for-extra-empty-commit from fix-renovate-tests.md
  (avoids needing a new long-lived PAT in the org)
- Add retrigger-ci-after-copilot-fix.yml: fires on pull_request:unlabeled
  for 'renovate-fix-needed'; uses existing PR_BOT_GITHUB_TOKEN app to
  push an empty commit that triggers CI on the renovate-agent branch
- Fix promote-renovate-pr.yml: workflow name was 'Continuous Integration
  Testing' but actual name in test.yaml is 'Python tests'

Author: jzbahrai

.github/workflows/fix-renovate-tests.md

@@ -24,7 +24,6 @@ safe-outputs:
     target: "*"
     title-prefix: "[renovate-agent]"
     labels: [renovate-fix-needed]
-    github-token-for-extra-empty-commit: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }}
     protected-files: blocked
   remove-labels:
     allowed: [renovate-fix-needed]
@@ -98,11 +97,11 @@ Use `cat`, `grep`, and `find` to explore the repository before editing.
 ### 5. Push your fixes
 
 After making all edits, push them to the PR branch using
-`push-to-pull-request-branch`. The `github-token-for-extra-empty-commit`
-is configured, so CI will trigger automatically on your push.
+`push-to-pull-request-branch`.
 
 Then remove the `renovate-fix-needed` label from the PR using `remove-labels`
-to signal that the fix has been applied.
+to signal that the fix has been applied. A separate workflow will detect the
+label removal and push an empty commit to re-trigger CI.
 
 ### 6. If no action is needed
 

.github/workflows/promote-renovate-pr.yml

@@ -12,7 +12,7 @@ name: Promote Renovate Draft PR
 on:
   workflow_run:
     workflows:
-      - "Continuous Integration Testing"
+      - "Python tests"
       - "Continuous Integration Testing (prod feature flags)"
     types: [completed]
     branches:

.github/workflows/retrigger-ci-after-copilot-fix.yml

@@ -0,0 +1,41 @@
+name: Re-trigger CI after Copilot fix
+
+# When the gh-aw agentic workflow (fix-renovate-tests) pushes a code fix, it
+# removes the "renovate-fix-needed" label to signal completion.  Because
+# pushes made by GitHub Actions use GITHUB_TOKEN (which cannot trigger other
+# workflow runs), this workflow fires on that label removal and pushes an
+# empty commit via the Notify PR Bot — whose pushes DO trigger CI.
+
+on:
+  pull_request:
+    types: [unlabeled]
+    branches:
+      - "renovate-agent/**"
+
+jobs:
+  retrigger:
+    name: Push empty commit to re-trigger CI
+    runs-on: ubuntu-latest
+    # Only act when the removed label is the agentic-workflow signal label
+    if: github.event.label.name == 'renovate-fix-needed'
+
+    steps:
+      - name: Obtain a Notify PR Bot GitHub App Installation Access Token
+        run: |
+          TOKEN="$(npx --yes obtain-github-app-installation-access-token@1.1.0 ci ${{ secrets.PR_BOT_GITHUB_TOKEN }})"
+          echo "::add-mask::$TOKEN"
+          echo "BOT_TOKEN=$TOKEN" >> $GITHUB_ENV
+
+      - name: Checkout PR branch
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          token: ${{ env.BOT_TOKEN }}
+          ref: ${{ github.head_ref }}
+          fetch-depth: 1
+
+      - name: Push empty commit to trigger CI
+        run: |
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config user.name "Notify PR Bot"
+          git commit --allow-empty -m "chore: trigger CI after Copilot fix [skip changelog]"
+          git push