The NixOS infrastructure repo has a nightly workflow that checks the upstream ghcr.io/actions/actions-runner:latest image and, when it changes, opens a PR pinning the new digest.
It kept failing at the PR-creation step with: "GitHub Actions is not permitted to create or approve pull requests." Even though the workflow requested pull-requests: write, repo/org policy can still block PR creation for the default token.
Fix: use a dedicated repo secret token for that step (PAT with the minimum required scopes), and fall back to github.token when it's allowed. Then trigger the workflow manually and watch it go green.
Lesson learned (again): declared permissions and real permissions are not the same thing. Trust the logs, then verify with a successful run.