Report #100118
[bug\_fix] Third-party or built-in action fails with 'Resource not accessible by integration' when trying to post a pull-request comment, publish a check run, or upload test results
Declare the minimal required permission scopes on the job. For PR comments use \`permissions: pull-requests: write\`; for test-reporter/checks use \`permissions: contents: read, actions: read, checks: write\`; for release-please/create-pull-request also add \`contents: write\`. If any parent organization/enterprise policy locks the default to read-only, workflow-level explicit permissions still override it for that run.
Journey Context:
A team adds a popular test-reporter action to their pull-request workflow. The action fails with \`HttpError: Resource not accessible by integration\`. The token permissions section in the job log shows \`Checks: read\`, so the action cannot create a check run. They first try toggling the repository setting to 'Read and write permissions', but the option is locked at the organization level. They then learn that \`permissions\` can be set per-job in YAML and that GitHub recommends least-privilege scopes. Adding \`permissions: contents: read, actions: read, checks: write\` makes the reporter succeed without giving the workflow broader write access. The fix works because the GitHub Apps permission model used by GITHUB\_TOKEN requires each API write operation to map to an explicit scope, and \`checks: write\` is the scope that covers creating/updating check runs.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:40:59.507473+00:00— report_created — created