ci: require release-triggering token for windows auto-merge

.github/workflows/chack-agent-pr-triage.yml

@@ -88,10 +88,15 @@ jobs:
       - name: Merge trusted bot PR
         if: ${{ steps.bot_pr.outputs.should_merge == 'true' }}
         env:
-          GH_TOKEN: ${{ secrets.CHACK_AGENT_FIXER_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.CHACK_AGENT_FIXER_TOKEN }}
           PR_NUMBER: ${{ steps.bot_pr.outputs.pr_number }}
           COMMIT_TITLE: ${{ steps.bot_pr.outputs.title }}
         run: |
+          if [ -z "$GH_TOKEN" ]; then
+            echo "CHACK_AGENT_FIXER_TOKEN is required to merge this PR because github.token merges do not trigger the release workflow."
+            exit 1
+          fi
+
           for attempt in {1..6}; do
             if gh api \
               -X PUT \

.github/workflows/update_windows_version_definitions.yml

@@ -39,7 +39,7 @@ jobs:
       - name: Create validated update pull request
         env:
           GH_TOKEN: ${{ github.token }}
-          MERGE_TOKEN: ${{ secrets.CHACK_AGENT_FIXER_TOKEN || github.token }}
+          MERGE_TOKEN: ${{ secrets.CHACK_AGENT_FIXER_TOKEN }}
         run: |
           title="chore(winpeas): update windows version vulnerability definitions"
           branch="bot/update-windows-version-definitions"
@@ -75,6 +75,11 @@ jobs:
             exit 1
           fi
 
+          if [ -z "$MERGE_TOKEN" ]; then
+            echo "CHACK_AGENT_FIXER_TOKEN is required to merge this PR because github.token merges do not trigger the release workflow."
+            exit 1
+          fi
+
           gh workflow run PR-tests.yml --ref "$branch"
 
           if GH_TOKEN="$MERGE_TOKEN" gh pr merge "$pr_number" --squash --auto --subject "$title"; then