Actions: error when setting automerge on a PR without contents write permission

[MattFisher]

Describe the bug

When using an action to enable auto-merge, you get a cryptic error message if you're missing the contents: write permission.

gh version 1.13.1 (2021-07-20)

Steps to reproduce the behavior

Attempting to enable auto-merging as described in the dependabot docs, we implemented an action by copying that example:

name: Dependabot auto-merge
on: pull_request_target

permissions:
  pull-requests: write
  contents: write  # <==== missed this permission

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1.1.0
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        if: ${{contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

When this action ran, it gave the following output:

gh pr merge --auto --merge "$PR_URL"
json: cannot unmarshal number into Go struct field GraphQLError.Errors.Path of type string

Expected vs actual behavior

Eventually I worked out it was because the action wasn't given the content: write permission (though I couldn't find any documentation indicating what permissions were needed for which commands).
A more helpful error message would have made this much easier.

The closest I could find to this problem by googling was #3346, which identified a bug "Our GraphQL error-handling mechanism doesn't handle the case when the path property of an error is an array that contains a mix of strings and numbers."

[MattFisher]

Wow that was fast!
Thanks @mislav!