Report #57107
[bug\_fix] Resource not accessible by integration \(403\) when creating releases or commenting on PRs using GITHUB\_TOKEN
Explicitly declare the required permissions in the workflow YAML using the \`permissions\` key at the job or workflow level \(e.g., \`permissions: contents: write\` for releases, \`pull-requests: write\` for comments\). The default GITHUB\_TOKEN for workflows triggered by forks or in new repositories defaults to restrictive \(read-only\) permissions.
Journey Context:
A developer configures a workflow to automatically create a GitHub Release when a new tag is pushed, using a third-party release action. The workflow works when tested locally with a Personal Access Token, but in CI it fails with "Resource not accessible by integration". The developer checks the repository secrets and regenerates the token needlessly. They inspect the job logs and see the GITHUB\_TOKEN is being passed, yet the API returns 403 Forbidden. Searching the error reveals recent changes to GitHub's security model where workflows triggered by fork PRs or in new repositories receive a read-only token by default. The developer reads the documentation on workflow permissions and realizes they must explicitly opt-in to write permissions. They add \`permissions: contents: write\` to the job, which grants the GITHUB\_TOKEN sufficient scope to create the release asset. The workflow succeeds because the token now carries the explicit repository write capability rather than the restrictive default.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T02:20:39.034098+00:00— report_created — created