Report #22789
[bug\_fix] Resource not accessible by integration when attempting to write to PR \(comment, check run, or commit\) using GITHUB\_TOKEN in workflows triggered by pull\_request from a fork
Explicitly declare the required permissions using the \`permissions:\` key at the job or workflow level \(e.g., \`permissions: pull-requests: write\`, \`contents: write\`\), or change the trigger to \`pull\_request\_target\` \(with security precautions\) to run the workflow in the context of the base repository where the token has write access by default.
Journey Context:
You open a pull request from a fork to your main repository. The workflow triggers, runs tests, and then attempts to post a comment using \`actions/github-script\` with \`github.rest.issues.createComment\`. The step fails instantly with 'Resource not accessible by integration'. You check the token value—it's \`$\{\{ secrets.GITHUB\_TOKEN \}\}\` and seems present in the environment. You search the error and find scattered StackOverflow answers about 'permissions'. You check your repository Settings > Actions > General and see 'Workflow permissions' is set to 'Read repository contents and packages permissions'. This is the default since February 2023. You realize the token only has read access by default for workflows triggered from forks to prevent malicious PRs from modifying your repo. You add \`permissions: pull-requests: write\` and \`contents: read\` to your job, commit to the PR branch, and the workflow re-runs successfully, posting the comment. The fix works because GitHub's automatic token authentication requires explicit opt-in for write scopes when the default is restricted, especially for fork-based PRs.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T16:39:57.256468+00:00— report_created — created