ci: Use workflow token to auto-approve

.github/workflows/devbox-update.yaml

@@ -10,6 +10,7 @@ on:
 
 permissions:
   contents: write
+  pull-requests: write
 
 jobs:
   devbox-update:
@@ -60,26 +61,34 @@ jobs:
 
           echo "message=${MESSAGE}" >>"${GITHUB_OUTPUT}"
 
-      - uses: actions/create-github-app-token@v1
+      - name: Get app token to create PR with
+        # if: steps.devbox-versions-changed.outputs.number_changed > 0
+        uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: ${{ secrets.GHA_PR_APP_ID }}
           private-key: ${{ secrets.GHA_PR_APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
 
-      - name: Create PR
+      - name: Create PR using app token
         # if: steps.devbox-versions-changed.outputs.number_changed > 0
+        id: create-pr
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           pr_url="$(gh pr create --base "${{ github.ref_name }}" --head "${DESTINATION_BRANCH}" \
             --title "${{ steps.commit-changes.outputs.message }}" \
             --body "This PR was automatically created by the scheduled devbox update workflow.")"
+          gh pr merge --auto --squash "${pr_url}"
+          echo "pr_url=${pr_url}" >>"${GITHUB_OUTPUT}"
 
-          gh pr merge --auto --squash "$pr_url"
-
+      - name: Approve PR using workflow token
+        # if: steps.devbox-versions-changed.outputs.number_changed > 0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
           if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ]; then
-            gh pr review --approve "$pr_url"
+            gh pr review --approve "${{ steps.create-pr.outputs.pr_url }}"
           else
             echo "PR already approved, skipping additional approvals to minimize emails/notification noise."
           fi