I am attempting to update the contents of .github folder using a call to API, using GitHub App’s token:

• https://docs.github.com/en/rest/reference/repos#create-or-update-file-contents – API endpoint,
• Endpoints available for GitHub Apps - GitHub Docs – the API endpoint in question is among those supported to be called using GitHub App.

A GitHub App in question is installed to the repo, and has the following permissions:

• Read access to metadata
• Read and write access to actions, code, and secrets

Updating files in the repo work fine. However, an attempt to edit the contents under .github folder fails with a 403 error.

I am failing to locate a relevant note in the endpoint and / or GitHub App documentation regarding .github being treated differently.

Should this behaviour be considered a bug, or is this simply something that’s undocumented?