How to resolve "refusing to allow an OAuth App to create or update workflow" on git push

I've literally just come across this problem when trying to use IntelliJ to push to a branch that contains a GitHub Action workflow (YAML file in .github/workflows). I didn't find existing resources on the Internet very helpful, so I hope this will help you fix it too.

TL;DR: Generate a new Personal Access Token with the workflow scope enabled in GitHub and configure your application to use that.

Background: third-party tools with GitHub integrations like IntelliJ, Visual Studio Code, Github Desktop, etc use tokens to connect to your GitHub account so they can pull/push, etc on your behalf. In the case of IntelliJ, their instructions only say to include the repo, the gist, and the read:org scopes. But you need the workflow scope to modify GitHub Actions.

Here's how to fix it:

1. In your Github account, go to Settings (in your avatar dropdown in the top right-hand corner)
2. Go to Developer Settings > Personal Access Tokens
3. If your application is listed, click on its name to edit the settings associated with its token. Make sure workflow is ticked.
4. Click on Update Token to save the change.
5. On the same page, click on Generate Token. Read the information carefully, then click OK to continue.
6. Copy the new token that Github shows you.
7. You will need to recreate your application's integration with Github using the new token for the change to take effect.

Note: you may be able to skip steps 5 onward if your application refreshes its permissions automatically, but that didn't seem to work for me with IntelliJ.

In IntelliJ, the last step was to go to Settings > Version Control > GitHub, then remove the existing integration and re-add it, pasting in the new token. You'll have to find out what needs to be done for the tool you're using to give it the new GitHub Personal Access Token.

For Windows 10: Go to Settings -> Credentials Manager -> Windows Credentials -> Remove github.com credentials -> git pull/push your github project from git-bash console -> Reconnect GitHub Account in your IDE/Source control. You don't need create Personal Access Token with "workflow", you don';t need create secret GITHUB_TOKEN (it creates auto and can't created manual)

Running macOS Big Sur. I am pushing my .yml workflow file from the Atom text editor and this worked for me.

1. Go to github personal access tokens settings and generate a new token. Make sure you select both repo and workflow access scope.
2. Go to Keychain Access app on Mac, and search for github. I found an entry (shown below) named github.com, of Internet password kind, which was previously filled with a seemingly random token. Replace the password entry with the generated token (the one begins with ghp_) from step 1.

This issue also happens simply because your current token is not allowed to work with workflow on Github. Do the following steps to fix

For people using Android Studio on MacOS:

1. Delete your current token (Preferences -> Version Control -> GitHub):

remember to hit the "Ok" button.

2. Try to push/pull again from Android Studio, an popup now will appear.

3. Hit Use Token... button, another popup will appear.

4. Click on Generate, you will be sent to GitHub website to generate a new token. Remember to select the workflow permission.

5. Click generate Button to get a new token and paste it to Android Studio in step 3. It's all set now.

In my case, I had stale GitHub credentials in macOS Keychain. I was modifying a workflows file and pushing the changes from the command line, hence I didn't think of checking the Keychain at all. The Updating credentials from the macOS Keychain explained how to use git credential-osxkeychain to erase the Keychain:

$ git credential-osxkeychain erase
host=github.com
protocol=https
> [Press Return]

I then had to enter my username and password again. This time I generated a new personal access token and used that token for the password. Then I could finally push the workflows changes.