Report #74020
[bug\_fix] Cannot update workflow file via API or git push without workflows write permission
Add \`workflows: write\` to the permissions block in the workflow YAML \(e.g., \`permissions: contents: write workflows: write\`\). The root cause is that modifying files under \`.github/workflows/\` is a privileged operation that could allow arbitrary code execution or privilege escalation, so GitHub requires the explicit \`workflows\` permission scope in addition to \`contents: write\`, even if the token otherwise has full repository access.
Journey Context:
You build an automation workflow that bumps version numbers and commits the change back to the repository, including modifications to \`.github/workflows/deploy.yml\` to update a version reference. Using \`git push\` or the GitHub REST API \(\`PUT /repos/\{owner\}/\{repo\}/contents/...\`\) with the default GITHUB\_TOKEN, the operation fails with the specific error: "refusing to allow a GitHub App to create or update workflow \`.github/workflows/deploy.yml\` without \`workflows\` permission". You check the repository settings and confirm the workflow has "Read and write permissions" enabled for contents. You try using a Personal Access Token \(PAT\) with \`workflow\` scope selected, and the push succeeds immediately, confirming the issue is a missing specific permission scope. Searching the GitHub documentation for "Workflow permissions," you find the permissions table showing that \`workflows: write\` is required to "Add or update workflow files." You add \`permissions: workflows: write contents: write\` to your workflow job, remove the PAT, and the workflow successfully modifies and pushes changes to workflow files using the default GITHUB\_TOKEN.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-21T06:50:27.090967+00:00— report_created — created