I'm using this action to auto-merge https://github.com/dependabot/fetch-metadata#enabling-auto-merge and it's working fine except that the other workflows that are normally triggered on merge to main are not triggered.

I'm pretty sure it's because secrets.GITHUB_TOKEN is used https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token but then I guess I don't understand this use case if I need to use a PAT to have the "normal" behavior.

Am I getting this wrong?

This is the expected behavior when using the GITHUB_TOKEN. You can use a PAT or a GitHub App if you want the merge to still trigger workflows. I'm doing it with a GitHub App now since I don't want to use a PAT, especially for workflows in orgs. Here's an example workflow and instructions.

Thanks for the example @xt0rted. Yeah I figured that would be the case. I was mainly just wondering why the examples here use GITHUB_TOKEN and if there's a way to have dependabot merge the PR and trigger other workflows without using another bot/account.

This is definitely confusing, since we'd expect dependency updates that get approved and merge to automatically go through CD-deploy.

When is the right time to use the PAT? Is it on the review-approve API call? or on the "enable auto-merge" API call?

When is the right time to use the PAT?

The workflow provided token can be used anywhere except for an action that would trigger another workflow. So in this instance you'd want to use a PAT or GitHub App Token to enable the auto-merge, but everywhere else you can use GITHUB_TOKEN.

Based on #162 there doesn't seem to be a good alternative to using a PAT at this time...