internal: warn against hand-editing generated tend workflows during regen

[prql-bot]

Problem

On 2026-06-24, main went red on lint-megalinter/actionlint, blocking check-ok-to-merge for every open PR, because tend-review.yaml ended up with a duplicate with: key:

.github/workflows/tend-review.yaml:56:11: key "allow-unsafe-pr-checkout" is duplicated in "with" section. previously defined at line:47,col:11.

This was self-inflicted by two bot PRs that both added the same allow-unsafe-pr-checkout: true line and merged independently:

• #6033 — the nightly 0.1.6 → 0.1.7 workflow regen, titled chore: update tend workflows (0.1.6 → 0.1.7). Opened 07:57, merged 04:53 next day. The regen carries the canonical allow-unsafe-pr-checkout line as part of the generated form.
• #6038 — a manual stopgap edit adding the same line so fork-PR reviews would work immediately. Opened 19:15 (while chore: update tend workflows (0.1.6 → 0.1.7) #6033 was already open), merged 20:22.

#6038 merged first, then #6033 merged on top, leaving the key declared twice. A ci-fix run then had to open #6039 to remove the redundant block.

Root cause (from the session log of run 28123112371)

Before opening #6038, the bot did run a dedup search — but keyed only on the title:

gh pr list --state all --author "$BOT" --json number,title,state,headRefName \
  --jq '.[] | select(.title | test("checkout|fork|tend-review|allow-unsafe"; "i")) | ...'

The open regen PR #6033 makes the identical change but its generic title (chore: update tend workflows) matches none of those keywords, so the search returned nothing and the bot opened a colliding manual edit. A file-based dedup would have caught it — #6033 touches .github/workflows/tend-review.yaml directly (verified: gh pr view 6033 --json files).

Fix

Adds one bullet to the running-tend skill's CI structure section (which already documents the regen flow): before hand-editing a generated tend-*.yaml file, diff it against the open chore: update tend workflows regen PR (comparing by file path, not title) or route the change through .config/tend.yaml so the regen carries it.

Gate assessment

• Evidence level: Critical — merged broken config to main, blocking check-ok-to-merge for all PRs until the ci-fix landed. Acts on 1 occurrence.
• Structural vs. stochastic: Structural — the regen PR will always carry a generic title that symptom-keyword dedup misses, so any future manual stopgap on a generated file the regen also touches collides the same way if both land.
• Change type: Targeted addition (one bullet under an existing heading).
• Passes both gates: yes.

---

Automated finding from tend-review-runs run 28158204198.