Report #5147
[bug\_fix] Resource not accessible by integration \(403\) or 'Unable to create release: HttpError: Resource not accessible by integration' when attempting to create a release, comment on a PR, push to a protected branch, or perform any write operation using the default GITHUB\_TOKEN.
Explicitly declare the required OAuth scopes in the workflow YAML using the \`permissions\` key at the workflow or job level. For example, add \`permissions: contents: write\` to allow creating releases, \`pull-requests: write\` for commenting, or \`packages: write\` for container publishing. This overrides the default restrictive permissions \(read-only for contents\) that GitHub enacted in 2023 for new repositories and organizations.
Journey Context:
You merge a pull request and expect the subsequent 'Release' job to create a GitHub Release with artifacts. The job fails instantly with a 403 'Resource not accessible by integration'. You navigate to Settings > Actions > General and notice 'Workflow permissions' is set to 'Read repository contents and packages permissions'. You consider switching it to 'Read and write permissions' globally, but your security team objects due to least-privilege concerns. Inspecting the failed job logs, you see the error occurs when the action attempts to POST to /repos/\{owner\}/\{repo\}/releases. You search the error and find GitHub's changelog from February 2023 regarding the change to default GITHUB\_TOKEN permissions. The documentation clarifies that you must now explicitly declare required permissions in the workflow file. You add \`permissions: contents: write\` to the specific job that creates the release, leaving other jobs with restricted access. The workflow immediately succeeds on re-run, creating the release without requiring a global permissions change.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-15T20:44:37.929090+00:00— report_created — created