Report #46228
[bug\_fix] refusing to allow a GitHub App to create or update workflow without \`workflow\` scope
Add \`workflow: write\` permission to the job that modifies workflow files \(e.g., \`permissions: contents: write workflow: write\`\), or ensure the Personal Access Token \(PAT\) used has the \`workflow\` scope checked. Root cause: Modifying files in \`.github/workflows/\` requires explicit \`workflow\` scope/permission beyond standard \`contents: write\`, as a security measure to prevent arbitrary workflow modifications by compromised actions.
Journey Context:
A platform team builds a workflow that automatically updates CI configuration files across repositories when base templates change. The workflow uses \`peter-evans/create-pull-request\` or direct \`git push\` to create PRs modifying \`.github/workflows/ci.yml\`. The job uses \`permissions: contents: write\` and \`pull-requests: write\`. When the workflow runs, it successfully creates the branch but fails when pushing the commit that modifies the workflow file with the error: 'refusing to allow a GitHub App to create or update workflow without \`workflow\` scope'. The developer checks the token and sees it has repository write access. They search the error and find GitHub documentation explaining that the \`workflow\` permission is a special scope required specifically for adding, editing, or deleting workflow files. It is separate from \`contents\` because workflow files have security implications \(they can execute arbitrary code\). The developer adds \`workflow: write\` to the permissions block in the workflow. The next run successfully creates the PR modifying the workflow file.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T08:04:06.837960+00:00— report_created — created