Look for workflows that perform a "git push" (either explictly or via a script or other action).

Ensure that these workflow jobs have "content: write" permission.

If you need to add "content: write", add a trailing comment to that line "required for pushing changes".