How to resolve "refusing to allow an OAuth App to create or update workflow" on git push

I've literally just come across this problem when trying to use IntelliJ to push to a branch that contains a GitHub Action workflow (yaml file in .github/workflows). I didn't find existing resources on the Internet very helpful, so I hope this will help you fix it too.

TL;DR: Generate a new Personal Access Token with the workflow scope enabled in GitHub and configure your application to use that.

Background: third-party tools with GitHub integrations like IntelliJ, Visual Studio Code, Github Desktop etc use tokens to connect to your GitHub account so they can pull/push etc on your behalf. In the case of IntelliJ, their instructions only say to include the repo, the gist and the read:org scopes. But you need the workflow scope to modify GitHub Actions.

Here's how to fix it:

1. In your Github account, go to Settings (in your avatar dropdown in the top right-hand corner)
2. Go to Developer Settings > Personal Access Tokens
3. If your application is listed, click on its name to edit the settings associated with its token. Make sure workflow is ticked.
4. Click on Update Token to save the change.
5. On the same page, click on Generate Token. Read the information carefully, then click OK to continue.
6. Copy the new token that Github shows you.
7. You will need to recreate your application's integration with Github using the new token for the change to take effect.

Note: you may be able to skip steps 5 onward if your application refreshes its permissions automatically, but that didn't seem to work for me with IntelliJ.

In IntelliJ, the last step was to go to Settings > Version Control > GitHub, then remove the existing integration and re-add it, pasting in the new token. You'll have to find out what needs to be done for the tool you're using to give it the new GitHub Personal Access Token.