Fix invalid administration permission scope in branch-protection workflow

[Copilot]

The branch-protection.yml workflow was failing at validation time with 0 jobs created (conclusion: failure) because administration is not a valid GITHUB_TOKEN scope in GitHub Actions.

What was wrong

administration is a GitHub Apps repository permission — it has no effect in a workflow permissions: block and causes the entire workflow run to be rejected before any jobs are queued.

What enforce_admins: true already does

The apparent intent behind administration: write was misplaced. Whether the repo admin is subject to branch protection is controlled by enforce_admins in the updateBranchProtection API call — not the workflow permissions block:

• enforce_admins: true → admin must also use PRs (already set, intentional for securing main)
• enforce_admins: false → admin is exempt from branch protection

Fix

Removed the invalid administration: write line. No other changes needed — for a personal repository the GITHUB_TOKEN already runs with owner-level access and can call updateBranchProtection without any additional scope.

# Before
permissions:
  contents: read
  administration: write  # not a valid GITHUB_TOKEN scope → 0 jobs, workflow fails

# After
permissions:
  contents: read

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.