fix(ci): trigger required checks on automated PRs

[jdalton]

Summary

• Pushes made with GITHUB_TOKEN don't trigger other GitHub Actions workflows. This causes required CI and enterprise audit checks to get stuck at "Waiting for workflow to run" on automated PRs created by the weekly update workflow.
• Adds a close/reopen step after PR creation in weekly-update.yml to generate a pull_request.reopened event, which triggers the required workflows.

Test plan

• Run the weekly-update workflow via workflow_dispatch and verify CI checks are triggered on the resulting PR
• Confirm the PR is reopened (not left closed) after the close/reopen cycle

---

Note

Medium Risk
Medium risk because it changes GitHub Actions behavior for automated PRs and temporarily closes/reopens them, which could affect notifications, branch protections, or downstream automation.

Overview
Ensures automated PRs created by weekly-update.yml reliably trigger required CI and enterprise audit workflows.

After creating the dependency-update PR, the workflow now looks up the PR by head branch and performs a close/reopen cycle to emit a pull_request.reopened event (working around the fact that pushes made with GITHUB_TOKEN don’t start other workflows).

^{Reviewed by Cursor Bugbot for commit 147375f. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Close/reopen with GITHUB_TOKEN won't trigger workflows
  • Replaced the close/reopen approach with gh workflow run ci.yml --ref which uses the workflow_dispatch event that is explicitly exempted from the GITHUB_TOKEN limitation, and added the required actions: write permission.

Preview (c6edf405b5)

diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml
--- a/.github/workflows/weekly-update.yml
+++ b/.github/workflows/weekly-update.yml
@@ -59,6 +59,7 @@
     if: needs.check-updates.outputs.has-updates == 'true' && inputs.dry-run != true
     runs-on: ubuntu-latest
     permissions:
+      actions: write
       contents: write
       pull-requests: write
     steps:
@@ -293,6 +294,17 @@
             --head "$BRANCH_NAME" \
             --base main
 
+      # Events triggered by GITHUB_TOKEN don't create new workflow runs,
+      # with the exception of workflow_dispatch and repository_dispatch.
+      # Use workflow_dispatch to trigger CI on the newly pushed branch.
+      - name: Trigger CI checks
+        if: steps.final.outputs.success == 'true' && steps.validate.outputs.valid == 'true' && steps.changes.outputs.has-changes == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+          BRANCH_NAME: ${{ steps.branch.outputs.branch }}
+        run: |
+          gh workflow run ci.yml --ref "$BRANCH_NAME"
+
       - name: Add job summary
         if: steps.final.outputs.success == 'true' && steps.validate.outputs.valid == 'true' && steps.changes.outputs.has-changes == 'true'
         env:

_{You can send follow-ups to the cloud agent here.}

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 147375f. Configure here.}

[cursor]

Close/reopen with GITHUB_TOKEN won't trigger workflows

High Severity

The "Trigger CI checks" step uses GH_TOKEN: ${{ github.token }} (the GITHUB_TOKEN) to close and reopen the PR. However, GitHub's documentation states that events triggered by the GITHUB_TOKEN — including pull_request.reopened — will not create new workflow runs. This is the exact same limitation the comment on line 296 describes for pushes. The close/reopen cycle will succeed but the resulting event will be silently ignored, so the required CI checks will still never be triggered. A PAT or GitHub App installation token is needed instead.

 

^{Reviewed by Cursor Bugbot for commit 147375f. Configure here.}