Report #5437
[bug\_fix] GitHub Actions workflow fails with 'Permission denied' or '403 Forbidden' when attempting to push commits, create releases, or modify repository contents using GITHUB\_TOKEN
Add explicit permissions declaration \`permissions: contents: write\` \(plus any other required scopes like \`pull-requests: write\`\) at the workflow or job level to override the default read-only token permissions.
Journey Context:
The developer had a workflow that automatically bumps version numbers and pushes the commit back to the repository. It worked perfectly for months, then suddenly started failing in early 2023 with 'remote: Permission to org/repo.git denied to github-actions\[bot\]' and 403 errors. They checked the repository settings under Actions > General and confirmed 'Workflow permissions' was set to 'Read and write permissions', yet the error persisted. They tried switching to a Personal Access Token \(PAT\) stored as a secret, which worked but introduced security risks and token expiration management overhead. After extensive searching through GitHub blog posts and changelogs, they discovered that GitHub changed the default GITHUB\_TOKEN permissions from permissive \(read/write\) to restricted \(read-only\) for new repositories and enterprises starting February 2023, regardless of the UI setting which only affects older repositories. The fix was explicitly declaring \`permissions: contents: write\` in the workflow YAML, which programmatically overrides the restrictive default and grants the workflow just enough scope to push commits without requiring a PAT, aligning with the principle of least privilege while restoring functionality.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-15T21:16:58.242436+00:00— report_created — created