Change protected-files policy to 'allowed' for labelops-pr-maintenance workflow

[Copilot]

The labelops-pr-maintenance workflow merges from main to resolve conflicts, which naturally includes upstream changes to protected files in the merge commit. The fallback-to-issue policy was treating these as agent-invented modifications and blocking the push.

• Changed protected-files: fallback-to-issue → protected-files: allowed in safe-outputs config
• Recompiled lock file

The prompt-level hard rule ("Never modify .github/**") remains the guardrail against the agent inventing changes to protected files. The safe-outputs enforcement is the wrong layer for this — merge commits from upstream are not agent decisions.

[T-Gro]

Review

The change itself is mechanically correct — allback-to-issue was indeed blocking merge commits that carry upstream .github/** changes, and �llowed unblocks that.

One issue: stale documentation in the same file.

Line 63 of labelops-pr-maintenance.md still says:

1. Never modify .github/**. Protected by fallback-to-issue.

This is now inaccurate since the enforcement layer was removed. It should be updated to reflect the current guardrail (prompt-level hard rule only), e.g.:

1. Never modify .github/**. (prompt-enforced; safe-outputs allows it for merge commits from upstream)

Otherwise the next person reading the workflow source will assume there's still a compile-time policy backing that rule.

Minor security note: moving from policy enforcement to prompt-only enforcement reduces defense-in-depth. If there's ever a protected-files: allow-from-merge option (or similar), that would be the ideal middle ground. For now, the tradeoff seems acceptable given the workflow's limited scope.

LGTM with the doc fix above.

[github-actions]

✅ No release notes required