Release workflow dispatch requires PAT with workflows scope

[felickz]

Problem

The self-release.yml workflow dispatch path (release-next job) fails when creating the release PR because patch-release-me modifies workflow files inside .github/workflows/ (configured in .release.yml locations).

! [remote rejected] chore-release-minor -> chore-release-minor 
(refusing to allow a GitHub App to create or update workflow 
`.github/workflows/python-release.yml` without `workflows` permission)

Root cause

.release.yml is configured to bump version refs inside workflow files:

locations:
  - name: "Actions Versions"
    paths:
      - '.github/workflows/*.yml'
    patterns:
      - 'advanced-security/reusable-workflows/.github/workflows/.*\.yml@v([0-9]\.[0-9]\.[0-9])'

When patch-release-me bumps the version, it rewrites @v0.3.0 to @v0.3.1 inside workflow YAML files. create-pull-request then tries to commit these changes, but GITHUB_TOKEN cannot modify files under .github/workflows/ — this requires a PAT or GitHub App token with the workflows scope.

Impact

• The workflow dispatch "bump" flow in self-release.yml is non-functional
• The push-to-main auto-release flow works (it only reads .release.yml, doesn't modify workflows)
• Releases had to be created manually as a workaround (e.g., v0.3.1)

Options

1. Create a repo secret with a PAT (or GitHub App token) that has workflows scope, and pass it to create-pull-request via token: input
2. Remove workflow files from .release.yml locations — stop auto-bumping version refs in workflows, manage those manually or via Dependabot
3. Remove the dispatch bump path from self-release.yml and use the reusable workflow's bump input directly (skips the PR step, releases immediately)

Related

• v0.2.0 tag was accidentally moved to HEAD by the self-release loop due to a missing v prefix strip (fixed in ea81761)
• PAT requirement documented in self-release.yml comment (14593b7)