gitconfig - local copy is preserving read-only properties of global gitconfig file

[sdolender]

I'm using Windows self-hosted github runners in shared env. To ensure the global gitconfig content has expect value ,
file is secured either with ReadOnly property and ACL write deny rule applied as follow:
1) Set-ItemProperty -Path "{{ user_dir }}\\.gitconfig" -Name IsReadOnly -Value $true
2)

 win_acl: 
    user: "{{ user }}" \
    path: "{{ user_dir }}\\.gitconfig"
    type: deny
    rights: Write
    state: present 
    # https://docs.ansible.com/ansible/latest/collections/ansible/windows/win_acl_module.html 

With above preconditions, I noticed the checkout with submodules doesn't work and fails as follow:

Setting up auth for fetching submodules

  "C:\Program Files\Git\cmd\git.exe" config --global http.https://github.com/.extraheader "AUTHORIZATION: basic ***"

  Encountered an error when attempting to configure token. Attempting unconfigure.
  "C:\Program Files\Git\cmd\git.exe" config --global --unset-all http.https://github.com/.extraheader
  Error: EPERM: operation not permitted, open '{{ ghr_directory_path }}\001\_work\_temp\ee8c748a-1268-4506-b891-708b30d368ac\.gitconfig

I would expect the copy of the gitconfig file has different file-properties than original one but same content.