VSCode doesn't request permission to edit github workflow files by default. Because it's an OAuth app and not a token, I can't grant it scopes that it did not request. I am forced to use SSH or a personal token instead of VSCode's built-in Github authentication, but because there's no convenient way to have VSCode forget that it authenticated a repo, I am also forced to checkout my own repo again and push the changes across.

If you want your product to Just Work, then Just Use Open Processes that are easy to hook into, interrupt or partially replace. Nobody can think of everything. Not even Apple's or Microsoft's mighty designers. What everyone can do is to provide graceful failure modes and offer partial strategies.