Add workflow to auto-approve bot workflow runs

GitHub now requires maintainer approval for workflows triggered by
bot-authored events (github-actions[bot], dependabot[bot]). This
companion workflow listens for workflow_run requests in action_required
state and auto-approves them for trusted bot actors.

Ref: https://github.blog/changelog/2025-04-15-upcoming-breaking-changes-and-releases-for-github-actions/

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: philipbalinov

.github/workflows/auto-approve-bot-runs.yml

@@ -0,0 +1,24 @@
+name: Auto-approve bot workflow runs
+
+on:
+  # workflow_run runs in the context of the default branch,
+  # so it is not itself subject to the approval gate.
+  workflow_run:
+    types: [requested]
+
+permissions:
+  actions: write
+
+jobs:
+  approve:
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.workflow_run.conclusion == 'action_required' &&
+      contains(fromJSON('["github-actions[bot]","dependabot[bot]"]'), github.event.workflow_run.actor.login)
+    steps:
+      - name: Approve workflow run
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          echo "Approving run ${{ github.event.workflow_run.id }} triggered by ${{ github.event.workflow_run.actor.login }}"
+          gh run approve ${{ github.event.workflow_run.id }} --repo ${{ github.repository }}