The workflow at .github/workflows/cut-release-branch.yml uses the default GitHub token provided to the GitHub workflow. GitHub disallows using this token to modify workflow files themselves (which prevents some privilege escalation attacks). This basically means that if there is a change to any of the workflow files between the branch cut point and the tip of master when the workflow is invoked, the workflow will fail like so:
! [remote rejected] flutter-3.44-candidate.0 -> flutter-3.44-candidate.0 (refusing to allow a GitHub App to create or update workflow `.github/workflows/freeze.yml` without `workflows` permission)
A way to fix this would be to use the FLUTTERACTIONSBOT_CP_TOKEN secret instead of the default workflow GitHub token, but I'd have to verify that this token actually has branch creation permissions.
The workflow at
.github/workflows/cut-release-branch.ymluses the default GitHub token provided to the GitHub workflow. GitHub disallows using this token to modify workflow files themselves (which prevents some privilege escalation attacks). This basically means that if there is a change to any of the workflow files between the branch cut point and the tip of master when the workflow is invoked, the workflow will fail like so:A way to fix this would be to use the
FLUTTERACTIONSBOT_CP_TOKENsecret instead of the default workflow GitHub token, but I'd have to verify that this token actually has branch creation permissions.