fix(ci): replace classic PAT with 2-credential pattern in update-versions

[davidkonigsberg]

Summary

The update-versions.yml workflow fails at the "Create or update the pull request" step with Requires authentication. Same root cause as fern-api/fern#16433 — the org now blocks classic PATs, and the approval step used FERN_GITHUB_TOKEN.

Changes follow the 2-credential pattern from fern's update-seed.yml and fix-lint.yml:

• Added permissions block (contents: write, pull-requests: write) to scope GITHUB_TOKEN
• Explicit token: ${{ secrets.GITHUB_TOKEN }} on create-pull-request (PR author = github-actions[bot])
• FERN_SUPPORT_GH_ACTIONS_PAT for automerge + approve (different identity from PR author, avoids self-approval)
• Automerge and approve now fire on both created and updated PR operations
• PR number passed via env var instead of template expansion (injection fix)

Link to Devin session: https://app.devin.ai/sessions/93f91ff5c5b64a2c8168fc49f3f42ad2
Requested by: @davidkonigsberg

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[github-actions]

🌿 Preview your docs: https://fern-preview-devin-1781106287-fix-update-versions-tokens.docs.buildwithfern.com/learn