GitHub Authentication - How is it managed?

I’ve got myself a bit confused about this, so I’d appreciate some clarification if at all possible.

As far as I am aware, the GitHub authentication that Atom uses is an OAuth app, listed in my personal github settings.
It’s set up by logging into github on this site - https://github.atom.io/auth/github_package/token, and then copying the access token into Atom.

This makes sense, but this is where I get confused.
When I try to push to one of my repos, I get a box asking me to log into GitHub with my username and password, and then eventually my 2fa key. After doing this, it creates a personal access token here - https://github.com/settings/tokens

Why is this personal access token necessary when GitHub has already been authorised with the OAuth token connection?

That’s not all though, it gets even weirder.
I set this up about a year ago, before GitHub Actions was released. I recently added a .github/workflow/build.yml to my repo, but when I tried to push I got an error;

(refusing to allow an OAuth App to create or update workflow .github/workflows/rc-docker-web.yamlwithoutworkflow scope) atom

After revoking and reauthing the OAuth connection as well as the personal access token, this worked and I was able to push it. However, the personal access token doesn’t have the workflow scope!

I absolutely don’t understand the purpose of the personal access token component.
If it’s necessary, then surely it would need the workflow scope to allow me to do that?
And if it isn’t necessary then what on earth is the point of it?

I’m very confused, if someone can shed some light on this I’d really appreicate it.
Thanks