Follow up of https://github.com/cli/cli/pull/7612
The `missingWorkflowScopeRE` is defined to capture
the error message when the `GH_TOKEN` does not have
`workflow` scope in `gh repo sync <remote>`,
but this is only intended for error messages for
OAuth Apps and does not work with GitHub Apps.
In GitHub App, you will get the following error:
```
{
"message": "refusing to allow a GitHub App to create or update workflow `.github/workflows/teamcity-pr-checks.yml` without `workflows` permission",
"documentation_url": "https://docs.github.com/rest/branches/branches#sync-a-fork-branch-with-the-upstream-repository",
"status": "422"
}
```
As you can see above, the existing regexp does not
match the "`workflows` permission".
This change modifies the regexp to return
the user-friendly error message when the `workflow`
permission is missing, even in the case of a GitHub App.
This helps avoid the errors when a new commit from upstream is not yet
available in the fork, resulting in a HTTP 404 when trying to update the
ref in the fork.
If the merge-upstream API is unavailable (404) or errors out (409/422),
the functionality falls back to the previous functionality of manually
updating refs. This ensures that `--force` still has effect.
- If the local branch already exists, use `git update-ref`
- If it needs to be created, use `git branch <newbranch>`, but don't
switch to the new branch
Bonus fixes
- Enables operation while on detached HEAD
- Enables operation even when the current remote doesn't track all
branches in the remote repo (uses FETCH_HEAD instead of the
`<remote>/<branch>` syntax)
