PR auto-merge requires "Include administrators" to wait for CI?

Hi all! I’m using this officially documented GitHub Actions workflow to auto-merge Dependabot PRs. It works, but if I want the auto-merge to wait until CI checks pass, I have to turn on the “Include administrators” branch protection setting, which I’d rather leave off. Specifically, I want to be able to push to main myself directly, without a PR, but I want PRs to block on CI passing before they can be merged.

Any ideas? Can I run the auto-merge with a token that doesn’t include the administrator permissions somehow? Or anything else? Thanks in advance!

(Lots of related background in Dependabot auto merge not working · Issue #1973 · dependabot/dependabot-core · GitHub btw, but no solution for this specific problem.)

I’ve left some suggestions here:

If you could confirm that one or the other work, I think we could probably file a bug (or two or three) against the documentation.