Report #8691
[bug\_fix] Resource not accessible by integration when creating releases, posting PR comments, or pushing to protected branches using GITHUB\_TOKEN
Add explicit permissions to the workflow job or change the default workflow permissions in repository settings. For example, add \`permissions: contents: write\` for releases or \`permissions: pull-requests: write\` for PR comments. The token is created with restricted permissions by default in newer repositories and organizations.
Journey Context:
A developer creates a workflow that uses \`gh release create\` to automatically publish releases when tags are pushed. It works perfectly in their personal repository. When they transfer the repository to an organization or create a new repository, the workflow suddenly fails with "Resource not accessible by integration" or "HTTP 403: Resource not accessible by integration". The developer adds debug steps and runs \`gh auth status\`, confirming that the \`GITHUB\_TOKEN\` has limited scopes like \`repo\` and \`workflow\` but lacks \`write\` access to contents. They check the repository settings under Settings > Actions > General > Workflow permissions and discover it is set to "Read repository contents and packages permissions" \(restricted mode\). They have two options: change the global default to "Read and write permissions" \(less secure\) or add the \`permissions\` key directly to the workflow YAML, explicitly granting \`contents: write\` for the specific job that needs it. The latter is the secure, established fix because it follows the principle of least privilege while allowing the workflow to function.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T06:13:20.895986+00:00— report_created — created