Report #75861
[bug\_fix] Resource not accessible by integration \(403\) when creating release, pushing to protected branch, or commenting on PR using GITHUB\_TOKEN
Add explicit permissions block to the workflow or job: \`permissions: contents: write\` for releases/packages, or \`pull-requests: write\` for commenting. Do not rely on the repository's default token permission settings.
Journey Context:
You trigger a workflow that creates a GitHub Release or pushes a tag. The job fails instantly with "Resource not accessible by integration" or a 403 Forbidden error. You navigate to Settings > Actions > General and confirm that "Workflow permissions" is set to "Read and write permissions". You try re-running the job but it fails again. You suspect the token is broken and try generating a Personal Access Token \(PAT\), which works, proving the issue is specific to the automatic GITHUB\_TOKEN. After searching GitHub Community forums, you discover that in February 2023, GitHub changed the security model: the default permission for the automatic token became restricted to "contents: read" regardless of the repository's legacy settings, unless explicitly declared in the workflow YAML. The debugging involves checking the workflow logs under "Set up job" where it shows "Token Permissions" with all scopes set to "none" or "read". The fix is to add a top-level \`permissions:\` block \(e.g., \`permissions: contents: write\`\) or a job-level permissions block. This explicitly grants the necessary scope, overriding the secure-by-default behavior and allowing the token to perform write operations.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-21T09:55:41.682751+00:00— report_created — created