We’re running into the exact same problem as well, so +1 for a first-class resolution to this (either having a permission that allows an app to merge to protected branches or having a way to have repo owners specify that an app can merge to its protected branches).
For others who have already encountered this – any feedback/experience with workarounds? My current plan is to require users/orgs to register separate tokens with the app that can perform the push operations since this seems to be the most straightforward approach (although still a pain because we’ll need manual process to register and store these tokens). Some kind of OAuth flow seems like it might be more user-friendly, but I haven’t been able to come up with a workflow that makes sense.
If anyone here has come up with a work-around for this that they found to be effective any input would appreciated!