Report #102436
[bug\_fix] GitHub Actions workflow fails with "Resource not accessible by integration" or "Workflow does not have permission" when calling the GitHub API, publishing packages, creating releases, or writing pull-request comments.
Add an explicit \`permissions\` block at the workflow or job level that grants only the scopes the job needs \(for example \`permissions: contents: write\` to push commits/releases, \`packages: write\` to publish to GHCR, or \`pull-requests: write\` to comment/label PRs\). When you set any permission explicitly, all unspecified permissions default to \`none\`, so list every required scope.
Journey Context:
You add a step that uses \`gh release create\` or \`docker push ghcr.io/...\` and the workflow fails even though the same command works locally with a PAT. The log shows the GitHub API returned 403 or "Resource not accessible by integration". You check \`secrets.GITHUB\_TOKEN\` and it is present, so you assume the token is broken. After reading the run logs you notice the token only has \`metadata: read\` and \`contents: read\`. You discover that the default \`GITHUB\_TOKEN\` permissions are controlled by the repository/organization default and that, since February 2023, new repos often default to a restrictive read-only token. You add \`permissions: contents: write packages: write\` to the job and the release and container push succeed. The fix works because \`permissions\` overrides the default token scope for that workflow/job, and GitHub issues a new token with exactly the requested scopes.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T04:52:07.892839+00:00— report_created — created