This repo gets sync'd with our other orgs (e.g. trail-of-forks) via sync.yml. This works just fine, if the sync step (i.e. git merge) doesn't include a workflow change. When it does include a workflow change the sync (and all future syncs) fail, since the default GITHUB_TOKEN doesn't have the workflow permission.

This results in the following obtuse error:

To https://github.com/crytic/.github
 ! [remote rejected] main -> main (refusing to allow a GitHub App to create or update workflow `.github/workflows/lint.yml` without `workflows` permission)
error: failed to push some refs to 'https://github.com/crytic/.github'
Error: Process completed with exit code 1.

To get around this, we either need a long-lived PAT (not ideal, since it'd essentially be a "god-mode" PAT for all of our orgs) or to make syncing more intelligent (e.g. have each repo be a stand-alone rather than a fork, and have each update only its non-workflow files on a schedule). The latter probably makes more sense.