I have an organization repo with master as a protected branch.
When I hit /merge REST API with Action’s default GITHUB_TOKEN, the API returns “You’re not authorized to push to this branch. Visit https://help.github.com/articles/about-protected-branches/ for more”, but the PR does get merged (verified by checking the PR’s page).
The PR is raised from release branch to master.
master’s branch protection settings:
merge commit created by Action: