scaffolded workflow token steps need workflows permission by default

[genesis-dev-bot]

Problem

Scaffolded genesis workflows use actions/create-github-app-token but do not request workflows permission. This means agents can never autonomously update workflow files. It creates a chicken-and-egg situation:

1. The agent cannot push workflow changes without permission-workflows: write
2. To add that permission, the workflow file itself must be updated
3. But updating the workflow file requires the permission that isn't there yet

The first update always requires a human to manually edit the workflow file.

This hit ronny-learns-ai in two ways:

• Issue [evolver] Scaffolded workflows missing Write tool in --allowedTools #9 (CI/CD deploy.yml) remains unresolved at Milestone 8 because the bot cannot push it
• The bot loop fix (adding genesis-dev-bot to the events filter) also cannot be pushed by the agent

Which project hit it

Sayfan-AI/ronny-learns-ai (Milestone 2 through current, April 2026).

Proposed fix

Option A: Add permission-workflows: write to the create-github-app-token step and workflows: write to the job permissions block in the scaffold templates by default. This gives agents full workflow management capability from day one.

Option B: Include a bootstrap note in the scaffolded workflow or CLAUDE.md that tells the human to manually grant workflows permission on first setup. At minimum, document it as a required one-time human step with clear instructions.

Option A is preferred as it eliminates the manual step entirely and allows agents to maintain CI/CD autonomously.