GitHub warnings/errors after I move permissions to jobs

[brianjmurrell]

I'm implementing some of the fixes that Scorecard is suggesting. I am currently fixing up Token-Permissions that are being flagged in some of our workflows. So accordingly I have changed the top (i.e. workflow) level permissions as such:

-permissions:		
-  id-token: write		
-  contents: read		
-  checks: write		
+permissions: read-all

and added the needed permissions to the job:

+    permissions:
+      checks: write
+      pull-requests: write

But now in the PR where I am doing this AND have added the Scorecard workflow I am getting new errors from making the suggested change:

But if the above moving of the checks: write permission from the workflow permissions to the job permissions is the right thing to do, why am I still getting a Check failure for Token-Permissions? It is most certain that a job in the workflow needs checks: write as it breaks if I remove it:

2024-04-02 23:22:51 +0000 - publish -  INFO - Available memory to read files: 140.7 GiB
2024-04-02 23:22:51 +0000 - publish -  INFO - Reading JUnit XML files Functional on EL 8.8/**/results.xml (11 files, 4.3 KiB)
2024-04-02 23:22:51 +0000 - publish -  INFO - Finished reading 11 files in 0.00 seconds
2024-04-02 23:22:52 +0000 - publish -  INFO - Publishing failure results for commit c65e6b9f1ce7d85b35a1989e0fe1af0492404884
Request POST /repos/daos-stack/daos/check-runs failed with 403: Forbidden
2024-04-02 23:22:53 +0000 - github.GithubRetry -  INFO - Request POST /repos/daos-stack/daos/check-runs failed with 403: Forbidden
Traceback (most recent call last):
  File "/action/publish_test_results.py", line 546, in <module>
    main(settings, gha)
  File "/action/publish_test_results.py", line 269, in main
    Publisher(settings, gh, gha).publish(stats, results.case_results, conclusion)
  File "/action/publish/publisher.py", line 233, in publish
    data = self.publish_check(data)
  File "/action/publish/publisher.py", line 461, in publish_check
    check_run = self._repo.create_check_run(name=self._settings.check_name,
  File "/usr/local/lib/python3.8/site-packages/github/Repository.py", line 3793, in create_check_run
    headers, data = self._requester.requestJsonAndCheck(
  File "/usr/local/lib/python3.8/site-packages/github/Requester.py", line 537, in requestJsonAndCheck
    return self.__check(*self.requestJson(verb, url, parameters, headers, input, self.__customConnection(url)))
  File "/usr/local/lib/python3.8/site-packages/github/Requester.py", line 702, in requestJson
    return self.__requestEncode(cnx, verb, url, parameters, headers, input, encode)
  File "/usr/local/lib/python3.8/site-packages/github/Requester.py", line 799, in __requestEncode
    status, responseHeaders, output = self.__requestRaw(cnx, verb, url, requestHeaders, encoded_input)
  File "/usr/local/lib/python3.8/site-packages/github/Requester.py", line 833, in __requestRaw
    response = cnx.getresponse()
  File "/usr/local/lib/python3.8/site-packages/github/Requester.py", line 195, in getresponse
    r = verb(
  File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 637, in post
    return self.request("POST", url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 486, in send
    resp = conn.urlopen(
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 938, in urlopen
    retries = retries.increment(method, url, response=response, _pool=self)
  File "/usr/local/lib/python3.8/site-packages/github/GithubRetry.py", line 183, in increment
    raise Requester.createException(response.status, response.headers, content)  # type: ignore
github.GithubException.GithubException: 403 {"message": "Resource not accessible by integration", "documentation_url": "https://docs.github.com/rest/checks/runs#create-a-check-run"}

So what's my path forward here given this new Token-Permissions error when taking the suggested action?