workflow: tolerate pr-creation policy block in master fixer

.github/workflows/ci-master-failure-chack-agent-pr.yml

@@ -126,37 +126,68 @@ jobs:
 
       - name: Commit and push fix branch if changed
         id: push_fix
+        env:
+          ORIGINAL_HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
         run: |
-          if git diff --quiet; then
-            echo "No changes to commit."
+          rm -f chack_failure_summary.txt chack_prompt.txt chack_failed_steps_logs.txt
+
+          pushed=false
+
+          if ! git diff --quiet; then
+            git add -A
+            # Avoid workflow-file pushes with token scopes that cannot write workflows.
+            git reset -- .github/workflows || true
+            git checkout -- .github/workflows || true
+            git clean -fdx -- .github/workflows || true
+            git reset -- chack_failure_summary.txt chack_prompt.txt chack_failed_steps_logs.txt
+            if git diff --cached --name-only | grep -q '^.github/workflows/'; then
+              echo "Workflow-file changes are still staged; skipping push without workflows permission."
+              echo "pushed=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+            if ! git diff --cached --quiet; then
+              git commit -m "Fix CI-master failures for run #${{ github.event.workflow_run.id }}"
+            fi
+          fi
+
+          after_head="$(git rev-parse HEAD)"
+          if [ "$after_head" = "$ORIGINAL_HEAD_SHA" ]; then
+            echo "No commit produced by Chack Agent."
             echo "pushed=false" >> "$GITHUB_OUTPUT"
             exit 0
           fi
 
-          rm -f chack_failure_summary.txt chack_prompt.txt chack_failed_steps_logs.txt
-          git add -A
-          # Avoid workflow-file pushes with token scopes that cannot write workflows.
-          git reset -- .github/workflows || true
-          git checkout -- .github/workflows || true
-          git clean -fdx -- .github/workflows || true
-          git reset -- chack_failure_summary.txt chack_prompt.txt chack_failed_steps_logs.txt
-          if git diff --cached --name-only | grep -q '^.github/workflows/'; then
-            echo "Workflow-file changes are still staged; skipping push without workflows permission."
-            echo "pushed=false" >> "$GITHUB_OUTPUT"
-            exit 0
+          changed_in_range="$(git diff --name-only "$ORIGINAL_HEAD_SHA"..HEAD)"
+          if echo "$changed_in_range" | grep -q '^.github/workflows/'; then
+            echo "Detected workflow changes in Chack commit range; sanitizing commit before push."
+            git diff --binary "$ORIGINAL_HEAD_SHA"..HEAD -- . ':(exclude).github/workflows/**' > /tmp/chack_nonworkflow.patch
+            if [ ! -s /tmp/chack_nonworkflow.patch ]; then
+              echo "Only workflow-file changes were produced; skipping push."
+              echo "pushed=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+            git reset --hard "$ORIGINAL_HEAD_SHA"
+            git apply --index /tmp/chack_nonworkflow.patch
+            if git diff --cached --quiet; then
+              echo "No non-workflow changes left after sanitizing."
+              echo "pushed=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+            git commit -m "Fix CI-master failures for run #${{ github.event.workflow_run.id }}"
           fi
-          if git diff --cached --quiet; then
-            echo "No committable changes left after filtering."
-            echo "pushed=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          git commit -m "Fix CI-master failures for run #${{ github.event.workflow_run.id }}"
+
           if ! git push origin HEAD:"$FIX_BRANCH"; then
             echo "Push failed (likely token workflow permission limits); skipping PR creation."
             echo "pushed=false" >> "$GITHUB_OUTPUT"
             exit 0
           fi
-          echo "pushed=true" >> "$GITHUB_OUTPUT"
+          pushed=true
+
+          if [ "$pushed" = "true" ]; then
+            echo "pushed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "pushed=false" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Create PR to master
         if: ${{ steps.push_fix.outputs.pushed == 'true' }}
@@ -165,15 +196,34 @@ jobs:
           GH_TOKEN: ${{ secrets.CHACK_AGENT_FIXER_TOKEN || github.token }}
           RUN_URL: ${{ github.event.workflow_run.html_url }}
         run: |
-          pr_url=$(gh pr create \
+          set +e
+          pr_output=$(gh pr create \
             --title "Fix CI-master_test failure (run #${{ github.event.workflow_run.id }})" \
             --body "Automated Chack Agent fix for failing CI-master_test run: ${RUN_URL}" \
             --base "$TARGET_BRANCH" \
-            --head "$FIX_BRANCH")
-          echo "url=$pr_url" >> "$GITHUB_OUTPUT"
+            --head "$FIX_BRANCH" 2>&1)
+          rc=$?
+          set -e
+
+          if [ $rc -eq 0 ]; then
+            echo "url=$pr_output" >> "$GITHUB_OUTPUT"
+            echo "created=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "$pr_output"
+          if echo "$pr_output" | grep -qi "not permitted to create or approve pull requests"; then
+            echo "PR creation blocked by repository Actions policy. Fix branch was pushed: $FIX_BRANCH"
+            echo "url=" >> "$GITHUB_OUTPUT"
+            echo "created=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "Unexpected PR creation error."
+          exit $rc
 
       - name: Comment on created PR with Chack Agent result
-        if: ${{ steps.push_fix.outputs.pushed == 'true' && steps.run_chack.outputs.final-message != '' }}
+        if: ${{ steps.push_fix.outputs.pushed == 'true' && steps.create_pr.outputs.created == 'true' && steps.run_chack.outputs.final-message != '' }}
         uses: actions/github-script@v7
         env:
           PR_URL: ${{ steps.create_pr.outputs.url }}