It looks like now Github by default sets read-only permission on Github actions (unless it is a setting on my account I haven't found).

I see it mentioned in https://show-your.work/en/latest/faqs/#permissions-errors-in-github-actions
however it doesn't only apply to forked repositories.

If this is the case, would it be useful to mention it right in the Quickstart? https://show-your.work/en/latest/quickstart/#build-on-the-remote

Interesting! So you mean - when you create a new showyourwork project, it doesn't have permission to push the built artifacts to the *-pdf branch? I haven't come across this so far, but they could well have changed the defaults. Perhaps we could add the appropriate permissions setting to the project cookiecutter template here too: https://github.com/showyourwork/showyourwork/blob/889de70d9ca1dee3875936469537f08d8bc09a9b/showyourwork/cookiecutter-showyourwork/%7B%7B%20cookiecutter.repo%20%7D%7D/.github/workflows/build.yml

yes, correct, see the failing job: https://github.com/zonca/showyourwork_globus_demo/actions/runs/4239735282/jobs/7368058255

yes, it would be ideal if it would be already in the Github action workflow.