Report #100116
[bug\_fix] GitHub Actions workflow fails to push commits, create releases, or post PR comments with 'Resource not accessible by integration' or 'Bad credentials' despite using secrets.GITHUB\_TOKEN
Add an explicit permissions block to the job \(or workflow\) granting only the scopes the step actually needs, e.g. \`permissions: contents: write\` to push/release, \`pull-requests: write\` to comment/merge, or \`checks: write\` to publish check runs. Also verify the repository/organization default is not locked to read-only, because repos and organizations created on or after 2023-02-02 default GITHUB\_TOKEN to read-only and explicit workflow permissions override that default.
Journey Context:
A team creates a brand-new organization and repository, copies over a release workflow that used to work, and watches every release job fail with 'Resource not accessible by integration' when it calls \`gh release create\`. They first suspect a typo in the token and re-read \`secrets.GITHUB\_TOKEN\`, but the job log shows the token Permissions block lists every scope as 'read'. They then discover that the repository's Settings > Actions > General > Workflow permissions is set to 'Read repository contents and packages permissions' and is grayed out because the organization enforces it. They learn that GitHub changed the default for newly created repos/orgs to read-only after February 2023 as a least-privilege measure. Adding \`permissions: contents: write\` directly in the workflow YAML overrides the organizational default for that job and the release succeeds. The fix works because the \`permissions\` key in a workflow file has final say over the token's scopes, regardless of the repository default.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:40:56.374460+00:00— report_created — created