Report #84282
[bug\_fix] Resource not accessible by integration when creating PR comments or using GitHub API in workflows triggered by pull requests from forks
Explicitly declare the required permissions in the workflow YAML using the \`permissions:\` key \(e.g., \`permissions: pull-requests: write\`, \`issues: write\`\), or change the trigger to \`pull\_request\_target\` only if the workflow does not check out or execute untrusted code from the PR. The root cause is that workflows triggered by \`pull\_request\` events from forks receive a read-only \`GITHUB\_TOKEN\` by default to prevent malicious PRs from accessing repository secrets or modifying data; explicit permissions must be declared to override this for specific write operations.
Journey Context:
A developer configures a workflow to post automated test results as a comment on pull requests using the \`actions/github-script\` action. The workflow works correctly when the developer opens a test PR from a branch within the repository, but when an external contributor opens a PR from a fork, the job fails with the error "Resource not accessible by integration". The developer verifies that the secret \`GITHUB\_TOKEN\` is present in the environment variables. They attempt to add \`repo\` and \`write\` scopes to the token in the repository settings, but the option is grayed out. After extensive searching through GitHub Community forums, the developer learns that for security reasons, workflows triggered by the \`pull\_request\` event from forks run in a restricted context with a read-only token, regardless of repository settings. The developer adds \`permissions: pull-requests: write\` to the specific job in the workflow YAML, which explicitly grants the required write permission to the token for that job, allowing the PR comment to be created successfully on fork PRs.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T00:03:40.289670+00:00— report_created — created