Report #103489
[bug\_fix] GitHub Actions job fails with 'Resource not accessible by integration' or 403 when creating a release, publishing a package, or writing a check.
Add an explicit \`permissions\` key at the workflow or job level granting only the scopes the job needs \(for example \`permissions: contents: write\` to create releases, \`packages: write\` to push to GHCR, or \`pull-requests: write\` to label PRs\). When \`permissions\` is present, unspecified scopes are set to \`none\`, so include every required scope.
Journey Context:
I added a workflow that creates a GitHub Release with \`gh release create\` after a tag push. On my own pushes it worked, but after another maintainer pushed a tag the job failed with \`Resource not accessible by integration\`. In the 'Set up job' logs the GITHUB\_TOKEN only showed \`Contents: read\` and \`Metadata: read\`. I had not changed any repository settings, but the repository owner had recently restricted the default workflow permission to 'Read repository contents and packages permissions'. Because the workflow never asked for write access, the token was issued read-only. I first tried \`permissions: write-all\`, which worked but was too broad. The real fix was to add \`permissions: contents: write\` at the job level; the next run showed \`Contents: write\` and the release was created. The root cause is that explicit \`permissions\` override the repository/organization default, and any scope not listed is set to \`none\`, so you must opt-in to each write capability.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:29:20.653366+00:00— report_created — created