Report #59100
[bug\_fix] Resource not accessible by integration \(403\) when creating release, posting PR comment, or pushing to protected branch despite valid GITHUB\_TOKEN
Explicitly declare permissions in the workflow YAML. Add a top-level or job-level \`permissions\` block granting the specific scopes needed \(e.g., \`contents: write\` for releases, \`pull-requests: write\` for comments\). Root cause: GitHub changed the default \`GITHUB\_TOKEN\` permissions from permissive to read-only for all scopes in February 2023 to improve supply-chain security; workflows created before this or using the new restrictive enterprise policies now fail when attempting write operations unless explicitly granted.
Journey Context:
The developer notices that a workflow that successfully created GitHub Releases six months ago now fails with a 403 'Resource not accessible by integration' immediately after the \`gh release create\` or \`actions/create-release\` step. Initially suspecting an expired or rotated \`GITHUB\_TOKEN\`, they verify the repository settings confirm 'Read and write permissions' is selected, but the error persists. After checking the repository's 'Actions' settings, they notice a banner indicating that workflows now default to read-only tokens. They search the error message and find GitHub's changelog entry from February 2023 announcing the breaking change. Realizing the workflow lacks explicit permissions, they add \`permissions: contents: write\` to the job, which immediately resolves the 403 error because the token now carries the explicit claim needed to mutate repository contents.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T05:41:20.605940+00:00— report_created — created