Report #100565
[bug\_fix] GitHub Actions workflow fails with "Resource not accessible by integration" when creating a PR comment, issue, or release
Add an explicit top-level or job-level \`permissions\` block that grants the required scopes to \`GITHUB\_TOKEN\` \(for example, \`permissions: pull-requests: write\`, \`contents: write\`, or \`issues: write\`\). Do not rely on the repository's default token setting, because the default may be restricted to read-only.
Journey Context:
You add a step that calls \`gh pr comment\` or uses an action like \`actions/create-release\` to write back to the repository. On your own branch the workflow succeeds, but when someone opens a pull request from a fork or when the repo setting "Workflow permissions" is set to read-only, the job fails with \`Resource not accessible by integration\`. You first suspect a missing secret, but \`GITHUB\_TOKEN\` is present. Then you think the token is expired, but GitHub generates a fresh one each run. You check the action logs and notice the token only has \`metadata: read\` and \`contents: read\`. The rabbit hole ends when you discover that GitHub changed the default token permission to read-only for new repositories and forks, and that each workflow must opt-in to write scopes via the \`permissions\` key. Once you add the correct \`permissions:\` block, the token is minted with the required scopes and the write succeeds.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:43:17.196030+00:00— report_created — created