Fix monthly-reports workflow to trigger checks on bot PRs

[castrojo]

Problem

The monthly-reports workflow creates PRs using secrets.GITHUB_TOKEN, which prevents other GitHub Actions workflows from triggering on those PRs (security feature to prevent recursive triggers).

Symptoms:

• PR docs(reports): Monthly report for January 2026 #591 was created by the workflow
• Build checks didn't start automatically
• Had to close/reopen PR to trigger checks manually
• Merge queue required manual approval

Root Cause

From .github/workflows/monthly-reports.yml:

env:
  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

When using GITHUB_TOKEN, GitHub prevents workflow triggers on PRs created by the action to avoid infinite loops.

Solution Options

Option A: Use Personal Access Token (PAT) - Recommended

1. Create a fine-grained PAT with permissions:
   • contents: read/write
   • pull-requests: read/write
   • workflows: write (to trigger other workflows)
2. Add as repository secret: MONTHLY_REPORTS_PAT
3. Update workflow:

   env:
     GH_TOKEN: ${{ secrets.MONTHLY_REPORTS_PAT }}

Pros:

• Simple configuration
• Works immediately
• Full control over token scope

Cons:

• Tied to a user account
• Requires token rotation
• User shows as PR author

Option B: Use GitHub App Token

1. Create a GitHub App with required permissions
2. Install app on repository
3. Use actions/create-github-app-token action
4. Use app token for PR creation

Pros:

• Not tied to user account
• Better audit trail
• More secure long-term

Cons:

• More complex setup
• Requires app management

Option C: Keep current approach, document manual approval

Document that bot PRs require:

1. Close and reopen to trigger checks
2. Manual approval before merge queue

Pros:

• No changes needed
• Works with existing setup

Cons:

• Manual intervention every month
• Defeats purpose of automation

Recommendation

Use Option A (PAT) for now:

• Quick to implement
• Solves immediate problem
• Can migrate to GitHub App later if needed

Implementation Steps

1. Generate fine-grained PAT with expiration (90 days)
2. Add as repository secret
3. Update workflow to use PAT
4. Test by manually triggering workflow
5. Verify checks start automatically
6. Document token rotation process

Related

• PR docs(reports): Monthly report for January 2026 #591: First report that encountered this issue
• PR ci: Configure auto-merge for monthly reports workflow #589: Added auto-merge configuration (assumed checks would trigger)
• .planning/research/automerge-workflow-research.md: Original research doc

References

• GitHub Docs: Triggering workflows from workflows
• GitHub Actions: Create GitHub App Token