chore: auto-merge develop → main

Triggered by: 561c6e9 ci: fix auto-merge — clear checkout extraheader so WORKFLOW_PAT actually reaches git push

.github/workflows/ci.yml

@@ -102,7 +102,9 @@ jobs:
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
+          # Always use the built-in GITHUB_TOKEN for checkout (read-only fetch).
+          # WORKFLOW_PAT is only needed for the push step below.
+          token: ${{ github.token }}
 
       - name: Configure git bot identity
         run: |
@@ -111,6 +113,15 @@ jobs:
 
       - name: Merge develop → main
         run: |
+          # ── ROOT CAUSE FIX ──────────────────────────────────────────────────
+          # actions/checkout writes an http.extraheader (AUTHORIZATION: basic …)
+          # that silently overrides any credentials embedded in git remote URLs.
+          # We must clear it BEFORE setting the remote URL with WORKFLOW_PAT,
+          # otherwise GITHUB_TOKEN is always used for the push and workflow-file
+          # changes are rejected.
+          # ────────────────────────────────────────────────────────────────────
+          git config --local --unset-all http."https://github.com/".extraheader 2>/dev/null || true
+
           LAST=$(git log --oneline -1 origin/develop)
           git checkout main
           git pull --ff-only origin main
@@ -118,6 +129,26 @@ jobs:
             -m "chore: auto-merge develop → main
 
           Triggered by: $LAST"
+
+          # ── PUSH STRATEGY ───────────────────────────────────────────────────
+          # Priority 1: WORKFLOW_PAT (classic PAT, repo+workflow scopes)
+          #   → can push workflow file changes; set as a repo secret.
+          # Priority 2: GITHUB_TOKEN fallback
+          #   → cannot push workflow files; strip them from the merge commit.
+          # ────────────────────────────────────────────────────────────────────
+          PUSH_TOKEN="${{ secrets.WORKFLOW_PAT }}"
+          if [ -z "$PUSH_TOKEN" ]; then
+            WF=$(git diff --name-only origin/main -- .github/workflows/ 2>/dev/null || echo "")
+            if [ -n "$WF" ]; then
+              echo "::warning::WORKFLOW_PAT not set — stripping workflow changes from merge commit:"
+              echo "$WF"
+              git checkout origin/main -- .github/workflows/
+              git diff --cached --quiet || git commit --amend --no-edit
+            fi
+            PUSH_TOKEN="${{ github.token }}"
+          fi
+
+          git remote set-url origin "https://x-access-token:${PUSH_TOKEN}@github.com/${{ github.repository }}.git"
           git push origin main
 
   # ── Auto-create GitHub Release on main ───────────────────────────────────