I’m using a Personal Access Token to work with a repo over HTTPS. The token has “repo” and “gist” OAuth scopes, and does not have the “workflow” scope, but I find that I am able to push commits that have new or modified GitHub Actions workflow files anyway. Isn’t this supposed to be disallowed?
I have a colleague who is getting the “refusing to allow an OAuth App to create or update workflow” error when he tries similar things from a similar setup. I’m not sure yet what the difference is in what we’re doing.