Report #7977
[bug\_fix] Resource not accessible by integration \(403\) when creating PR comments or issues using GITHUB\_TOKEN
Add an explicit \`permissions\` block to the workflow or job granting the specific capability \(e.g., \`permissions: pull-requests: write contents: read\`\). Alternatively, change the default permissions in repository Settings > Actions > General > Workflow permissions to 'Read and write permissions'. Root cause: GitHub changed the default GITHUB\_TOKEN permissions to restricted \(read-only\) for new repositories and organizations; the token must be explicitly granted write capabilities for specific resources.
Journey Context:
You implement a workflow that posts test results as a comment on pull requests using \`actions/github-script\`. It works flawlessly in your personal test repository. However, when you merge the workflow to your organization's main repository, every run fails with 'Resource not accessible by integration' or HTTP 403 errors when attempting to create the comment. You verify the token is being passed correctly and try using a Personal Access Token \(PAT\) instead, which works immediately, confirming it's a permission issue rather than a code bug. You dive into the repository settings and discover that your organization has enabled 'Restrict default workflow permissions' to read-only for GITHUB\_TOKEN. The fix is adding a \`permissions:\` block explicitly granting \`pull-requests: write\` to that specific job, which overrides the organization default and allows the token to create comments without using a long-lived PAT.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T04:15:32.932020+00:00— report_created — created