The 7.0.248 release surfaced two independent CI failures:

1. Native Themes Sync failed at container init with "docker pull ...
   pr-ci-container ... denied". The job runs inside that private GHCR
   image, so the pull needs the GITHUB_TOKEN to carry packages:read.
   Declaring a permissions block (contents: write) reset every unlisted
   scope to none, dropping the implicit packages:read. Spell it out.

2. Website CN1 Version PR failed creating the PR with "remote:
   Duplicate header: Authorization" / HTTP 400. checkout@v6 persists
   the GITHUB_TOKEN as an http.extraheader, then create-pull-request
   adds its own extraheader for the distinct CN1SS_GH_TOKEN PAT, so git
   emits two Authorization headers. Disable credential persistence on
   checkout so only the PAT header remains, and bump create-pull-request
   v6 -> v7 to match the repo's other PR workflows and clear the Node 20
   deprecation.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>