So I got this response from GitHub in email (not here as well for some reason):
Previously, the personal access token (PAT) had delete:packages, repo, workflow, and write:packages scopes. It was recently updated to include an additional scope (admin:repo_hook). Visit https://github.com/settings/tokens for more information.
To see this and other security events for your account, visit https://github.com/settings/security-log
If you run into problems, please contact support by visiting https://github.com/contact
The GitHub Team
I tried adding the admin:repo_hook scope to my token by I still couldn’t delete a workflow run (403 error). I then (temporally) enabled all scopes for my token and am still seeing 403s, so this must not be a scope thing.
Just for fun, I also tried basic in addition to bearer token authentication but that didn’t work either. Note that GET is still working on the exact same endpoint and since this is a private repo, I’d assume that I must be submitting the token correctly.
I took a look at my security log (really cool, I didn’t know about this) but it looks like it takes some time (10 hours?) for new entries to post. I’ll have to check back later to see anything interesting comes up.