Report #64659
[bug\_fix] Resource not accessible by integration or 403 Forbidden when creating releases, posting PR comments, or pushing to protected branches using GITHUB\_TOKEN
Explicitly declare the required permissions in the workflow YAML using the \`permissions\` key at the workflow or job level \(e.g., \`permissions: contents: write\`, \`pull-requests: write\`\). The root cause is that GitHub changed the default workflow permissions to read-only for new repositories and organizations; GITHUB\_TOKEN now inherits restrictive scopes unless explicitly broadened.
Journey Context:
You set up a workflow that successfully builds artifacts and runs tests, then add a step using \`softprops/action-gh-release\` to create a GitHub Release on tag push. The job fails with \`Resource not accessible by integration\`. You verify the token is present, check repository secrets \(finding none set, assuming the default GITHUB\_TOKEN is used\), and search the error. You find GitHub blog posts from 2021 and 2023 explaining the change to secure-by-default workflow permissions. You navigate to the repository's Settings > Actions > General, confirming "Workflow permissions" is set to "Read repository contents...". Realizing the workflow lacks explicit permissions, you add \`permissions: contents: write\` to the job. The next run succeeds, creating the release. The fix works because the \`permissions\` key dynamically configures the GITHUB\_TOKEN scopes for that specific job, overriding the restrictive default without changing the repository-wide setting.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T15:00:53.480198+00:00— report_created — created