From 3b82217fe21f02ce20114e1502474430d8b9e0b3 Mon Sep 17 00:00:00 2001
From: Matteo <keysersoft@gmail.com>
Date: Sat, 13 Jun 2026 16:26:50 +0200
Subject: [PATCH] =?UTF-8?q?fix(ci):=20unblock=20Dependabot=20auto-merge=20?=
 =?UTF-8?q?=E2=80=94=20drop=20the=20forbidden=20approval=20step?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The triage job failed on every Dependabot PR at 'gh pr review --approve'
with 'GitHub Actions is not permitted to approve pull requests', and
because Actions bash steps run with -e, the following 'gh pr merge --auto'
never executed — so nothing was ever auto-merged.

main requires 0 approving reviews, so the approval was pointless anyway.
Remove it and keep 'gh pr merge --auto --squash'; auto-merge now fires
once the required Backend/Frontend checks pass.
---
 .github/workflows/dependabot-auto-merge.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index dcdcde07..e73bf09c 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -65,13 +65,20 @@ jobs:
           echo "auto=$AUTO" >> "$GITHUB_OUTPUT"
           echo "reason=$REASON" >> "$GITHUB_OUTPUT"
 
-      - name: Approve and enable auto-merge
+      - name: Enable auto-merge
         if: steps.decide.outputs.auto == 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_URL: ${{ github.event.pull_request.html_url }}
         run: |
-          gh pr review --approve "$PR_URL" --body "Auto-approved: ${{ steps.decide.outputs.reason }}"
+          # No review step: `main` requires 0 approving reviews, so approval is
+          # unnecessary — and GitHub forbids GITHUB_TOKEN-backed Actions from
+          # approving PRs ("GitHub Actions is not permitted to approve pull
+          # requests"), which previously failed this step under `set -e` and
+          # stopped the merge command from ever running.
+          # `gh pr merge --auto` enables auto-merge; GitHub completes it once
+          # the required Backend/Frontend checks pass and the branch is
+          # up to date (Dependabot keeps its PRs rebased).
           gh pr merge --auto --squash "$PR_URL"
 
       - name: Label as needs-review