ci: handle #148 by skipping auto-merge on workflow changes (workaround for App workflows:write) (#152)

ci: skip auto-merge for PRs touching .github/workflows/ to avoid needing workflows:write on App token (#148)

Prevents the GraphQL error when App token tries --auto on workflow-editing PRs (e.g. release.yml changes).

See also #148 for granting the perm as preferred long-term fix.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/workflows/auto-approve.yml

@@ -41,8 +41,21 @@ jobs:
           client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
+      - name: Check for workflow file changes (to avoid App token needing workflows:write)
+        id: wf-changes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pr="${{ github.event.pull_request.number }}"
+          if gh pr view "$pr" --json files --jq '.files[].path' | grep -q '^\.github/workflows/'; then
+            echo "changes=true" >> "$GITHUB_OUTPUT"
+            echo "PR touches .github/workflows/; will skip auto-merge (App lacks workflows:write)"
+          else
+            echo "changes=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Enable auto-merge
-        if: github.event.pull_request.user.login != 'patchloom-release[bot]'
+        if: github.event.pull_request.user.login != 'patchloom-release[bot]' && steps.wf-changes.outputs.changes != 'true'
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: gh pr merge --auto --squash "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}"