gh api needs github token

.github/workflows/nightly.yml

@@ -118,6 +118,7 @@ jobs:
     # jobs, failure() returns true if any ancestor job fails.
     if: failure() && (needs.re-run.result == 'skipped' || needs.re-run.result == 'failure')
     uses: "./.github/workflows/notify_nightly.yml"
-    permissions: {}
+    permissions:
+      actions: read
     secrets:
       MATTERMOST_PUBLIC_CERTBOT_CHANNEL_WEBHOOK: "${{ secrets.MATTERMOST_PUBLIC_CERTBOT_CHANNEL_WEBHOOK }}"

.github/workflows/notify_nightly.yml

@@ -6,11 +6,15 @@ on:
       MATTERMOST_PUBLIC_CERTBOT_CHANNEL_WEBHOOK:
         required: true
 
-permissions: {}
+permissions:
+  actions: read
+
 jobs:
   notify_mattermost:
     name: Notify mattermost
     runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ github.token }}
     steps:
     # we pin this action to a version tested and audited by certbot's
     # maintainers for extra security. the full hash is used as doing so is