Report #101969
[bug\_fix] GitHub Actions workflow fails with 'Resource not accessible by integration' or 'HttpError: 403' when creating releases, pull-request comments, or pushing packages
Add an explicit top-level or job-level \`permissions\` block granting the scopes the job actually needs \(e.g. \`contents: write\` for releases, \`pull-requests: write\` for comments, \`packages: write\` for GHCR\). Avoid \`permissions: write-all\` in shared/public repos; grant least privilege per job. The default \`GITHUB\_TOKEN\` was changed to read-only for new repositories and organizations in early 2023, so legacy workflows that implicitly relied on broad write access now fail.
Journey Context:
You merge a workflow that creates a GitHub Release from a tag. It worked in your old repo, but in the new one it explodes with 'Resource not accessible by integration'. You suspect a PAT issue, so you rotate secrets—no change. You inspect the job logs and notice the 403 happens on the \`POST /repos/.../releases\` API call, not on authentication. You compare with an older repository and realize the new repo's workflow runs under a \`permissions: read-all\` or default read-only policy, while the old repo inherited broad write access. After adding \`permissions: contents: write\` to the job, the release is created. You later split the workflow so only the release job gets write scope while the test job stays read-only.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-08T04:45:22.777989+00:00— report_created — created