In one of the repos I'm involved with, we currently have a PR open to update the peter-evans/create-pull-request action runner from version v7.0.9 to v7.0.11.

We use the action runner in two workflows:

• Update website workflow
• Update a file from an external source
  This second workflow is set up as a re-usable workflow with a workflow_call trigger and is called by two workflows:
  • https://github.com/WordPress/Requests/blob/develop/.github/workflows/update-cacert.yml (PRs, pushes)
  • https://github.com/WordPress/Requests/blob/develop/.github/workflows/update-cacert-cron.yml (cron job)

The above setup with the reusable workflow is deliberate to prevent builds for new PRs not running if GH would disable the cron job workflow after two months of no activity in a repo.

The first workflow appears to be fine with the update and has successfully opened PR WordPress/Requests#1010.

The second workflow, however, is failing with the following error:

Pushing pull request branch to 'origin/feature/auto-update-cacert-1009'
  /usr/bin/git stash push --include-untracked
  No local changes to save
  /usr/bin/git checkout --progress feature/auto-update-cacert-1009 --
  Previous HEAD position was 91d58d6 Merge fb17069d77a320b627c9e0aa344e0d4800a8c152 into 95d03196b5edb5047bcae35c62ea6e3d6ae148f5
  Switched to branch 'feature/auto-update-cacert-1009'
  Creating tree objects for local commit b94b93bd1e40c5e404e7e198a17c51e023a70b5b
  /usr/bin/git show b94b93bd1e40c5e404e7e198a17c51e023a70b5b:certificates/cacert.pem
  /usr/bin/git show b94b93bd1e40c5e404e7e198a17c51e023a70b5b:certificates/cacert.pem.sha256
  Error: Error creating blob for file 'certificates/cacert.pem.sha256': Resource not accessible by integration - https://docs.github.com/rest/git/blobs#create-a-blob
  Error: Resource not accessible by integration - https://docs.github.com/rest/git/blobs#create-a-blob

Workflow transscript: https://github.com/WordPress/Requests/actions/runs/20032217262

Previous run of the same workflow using peter-evans/create-pull-request v7.0.9, which succeeds: https://github.com/WordPress/Requests/actions/runs/20032173457

If I look at the changelog for the 7.0.10 and 7.0.11 releases, I do not see anything which gives me a clue as to why the build is suddenly failing.

• The workflows are not run via a self-hosted runner.
• The PR is not coming from a fork, but directly from the "base" repo.
• Previous Dependabot PRs updating the action runner did not cause the builds to fail (which could indicate Dependabot missing access to a secret, but that doesn't appear to be the problem).

Any insights appreciated. Also: I'm happy to test things in the repo if it helps to debug this.