fix(ci): use admin bot for approval and force-merge in finalize_rollout (#75937)

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

Author: aaronsteers

.github/workflows/finalize_rollout.yml

@@ -218,10 +218,33 @@ jobs:
           GH_TOKEN: ${{ steps.get-app-token.outputs.token }}
         run: gh pr ready "${{ steps.create-pr.outputs.pull-request-number }}"
 
+      # Use a different bot identity (admin) to approve and merge,
+      # because the bot that created the PR cannot approve its own PRs
+      # and needs admin privileges to bypass branch protection.
+      - name: Authenticate as GitHub App (Admin)
+        if: steps.create-pr.outputs.pull-request-number
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: get-admin-token
+        with:
+          owner: "airbytehq"
+          repositories: "airbyte"
+          app-id: ${{ secrets.OCTAVIA_BOT_ADMIN_APP_ID }}
+          private-key: ${{ secrets.OCTAVIA_BOT_ADMIN_PRIVATE_KEY }}
+
+      - name: Approve cleanup PR
+        if: steps.create-pr.outputs.pull-request-number
+        env:
+          GH_TOKEN: ${{ steps.get-admin-token.outputs.token }}
+        run: >
+          gh pr review "${{ steps.create-pr.outputs.pull-request-number }}"
+          --repo "${{ github.repository }}"
+          --approve
+          --body "Auto-approved by finalize_rollout workflow."
+
       - name: Force-merge cleanup PR
         if: steps.create-pr.outputs.pull-request-number
         env:
-          GH_TOKEN: ${{ steps.get-app-token.outputs.token }}
+          GH_TOKEN: ${{ steps.get-admin-token.outputs.token }}
         run: |
           gh pr merge "${{ steps.create-pr.outputs.pull-request-number }}" \
             --repo "${{ github.repository }}" \