Breaks if Renovate updates a GitHub Action in `.github/workflows`

[jamesbraza]

I got this running today 🥳, and was excited! However, I have since hit an issue:

1. Renovate updated a GitHub Action version used (in .github/workflows)
   • For me, it updated pre-commit-ci/lite-action from v1.0.2 to v1.0.3
2. Then all future runovate invocations hit the below error on this git push:

 ! [remote rejected] deps -> deps (refusing to allow a GitHub App to create or update workflow `.github/workflows/tests.yml` without `workflows` permission)

The appearance of this error seems to come down to https://github.com/orgs/community/discussions/35410#discussioncomment-9621527:

the error happens because the branch contains changes in .github/workflows compared to the default branch (e.g. main)

It seems GitHub restricts the default actions-provisioned ${{ github.token }} (default of actions/checkout) from creating or modifying workflow files for security reasons.

Note that I do give GitHub Actions this permission in Settings --> Actions --> General --> Workflow permissions:

Also, adding the below to my deps.yml does not resolve this error:

permissions:
  actions: write # Allowing runovate to git push
  contents: write # Allowing github.rest.git.createRef

I am trying to avoid making a GitHub Personal Access Token to still work after runovate working after changes to .github/workflows

[jamesbraza]

Another way to work around this would be to:

1. Make runovate an official GitHub App, which can be given workflow permissions
2. Employ actions/create-github-app-token to make a token using the app's key

(from https://github.com/orgs/community/discussions/35410#discussioncomment-10701448)