Problem
Dependabot PRs that modify workflow files (like .github/workflows/test.yml) cannot be auto-merged using the default GITHUB_TOKEN. GitHub requires a token with the workflow scope.
Example: PR #411 (actions/cache bump) failed auto-merge with:
GraphQL: Pull request refusing to allow a Personal Access Token to create or update workflow
`.github/workflows/test.yml` without `workflow` scope (enablePullRequestAutoMerge)
Solution
- Create a new Personal Access Token (classic) with
repo and workflow scopes
- Add it as a repository secret (e.g.,
AUTO_MERGE_TOKEN)
- Update the auto-merge step in
.github/workflows/test.yml to use this token instead of GITHUB_TOKEN
Security consideration
Be aware that using a PAT gives more permissions than the default token. Consider if manual merging of workflow-modifying PRs is acceptable instead.
Problem
Dependabot PRs that modify workflow files (like
.github/workflows/test.yml) cannot be auto-merged using the defaultGITHUB_TOKEN. GitHub requires a token with theworkflowscope.Example: PR #411 (actions/cache bump) failed auto-merge with:
Solution
repoandworkflowscopesAUTO_MERGE_TOKEN).github/workflows/test.ymlto use this token instead ofGITHUB_TOKENSecurity consideration
Be aware that using a PAT gives more permissions than the default token. Consider if manual merging of workflow-modifying PRs is acceptable instead.