Checkout private repository from workflow call doesn't work

[alexrosenfeld10]

Per title, checkout fails when called from reusable workflows.

Main workflow:

name: My thing

on:
  pull_request:
    branches:
      - staging
      - master
  merge_group:

jobs:
  changed-files:
    name: Check for relevant changes
    uses: ./.github/workflows/changed_files.yml
    with:
      files: |
        blah/**
        other/**
    permissions:
      pull-requests: read
#    secrets: inherit # fails with and without this

Reusable workflow (as in, ./.github/workflows/changed_files.yml):

on:
  workflow_call:
    inputs:
      files:
        description: "Globs of file paths, separated by newlines"
        type: string
        required: true
    outputs:
      has_changes:
        description: "Whether there are changes in the files"
        value: ${{ jobs.changed-files.outputs.has_changes }}

jobs:
  changed-files:
    name: Check files
    permissions:
      pull-requests: read
    runs-on: ubuntu-latest
    outputs:
      has_changes: ${{ steps.changed-files-step.outputs.all_changed_files != '' }}
    steps:
      - name: Checkout repo if triggered by merge queue               # This is the part that fails!
        # if: github.event_name == 'merge_group'  # commented out for testing on PRs
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
#          token: ${{ secrets.GITHUB_TOKEN }} # fails with this
#          token: ${{ secrets.GITHUB_TOKEN_FOO }} # fails with this when passed directly as well
      - id: changed-files-step
        uses: tj-actions/changed-files@v44
        with:
          files: ${{ inputs.files }}

I've tried:

• secrets: inherit
• passing a GITHUB_TOKEN secret directly, by a different name

Checkout works from the parent job by the way. It's just when called from the reusable workflow that it fails.

Error log:

  remote: Repository not found.
  Error: fatal: repository 'https://github.com/my/repo/' not found
  The process '/usr/bin/git' failed with exit code 128

[alexrosenfeld10]

I've also tried

    permissions: read-all
    secrets: inherit

to no avail

[alexrosenfeld10]

ugh, the permissions have to be on the reusable workflow, not the top level workflow. GHAs can be so needlessly complex in their configuration