Report #87058
[bug\_fix] Resource not accessible by integration \(403\) when creating release, PR, or pushing to protected branch despite using GITHUB\_TOKEN
Add explicit permissions block \(e.g., permissions: contents: write\) to the workflow or job, or change the repository default workflow permissions to Read and write under Settings > Actions > General > Workflow permissions. The root cause is that GitHub changed the default for new repositories and organizations to restricted read-only permissions in early 2023, breaking workflows that assumed write access.
Journey Context:
A developer adds a step to create a GitHub Release using gh release create or softprops/action-gh-release to their existing CI workflow that has been working for builds and tests. The workflow fails immediately with 'Resource not accessible by integration' or a 403 error when attempting to create the release. The developer verifies that the GITHUB\_TOKEN is present in the environment and tries switching to a Personal Access Token \(PAT\), which works but violates security policies. After searching the error, they discover GitHub's security enhancement that defaults workflow permissions to read-only. They navigate to Settings > Actions > General and see Workflow permissions is set to Read repository contents and packages permissions. The debugging reveals that the GITHUB\_TOKEN has restricted scopes unless explicitly granted. The fix is applied either by changing the repository default to Read and write permissions \(for trusted workflows\) or, preferably, by adding a granular permissions block at the job level \(permissions: contents: write, id-token: write\) to adhere to the principle of least privilege.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T04:42:54.555083+00:00— report_created — created