Report #89923
[bug\_fix] GITHUB\_TOKEN 403 Forbidden 'Resource not accessible by integration' on release creation or package publish
Add explicit permissions block to the job: \`permissions: contents: write\` for releases, \`packages: write\` for GHCR, or \`id-token: write\` for OIDC. Root cause: GitHub changed the default \`GITHUB\_TOKEN\` permissions to read-only for new repositories and organizations in February 2023; the token must now be explicitly granted write scopes per-job to limit blast radius of compromised actions.
Journey Context:
You add a workflow that triggers on tag push to create a GitHub Release using \`actions/create-release@v1\`. The job fails with 'Resource not accessible by integration'. You verify you are a repository admin and the workflow file is correct. You try adding a Personal Access Token \(PAT\) as a repository secret and use \`token: $\{\{ secrets.PAT \}\}\`—this works, but you know storing long-lived PATs is a security anti-pattern. You navigate to the repository's Settings > Actions > General and notice 'Workflow permissions' is set to 'Read repository contents and packages permissions' \(the secure default\). You realize GitHub changed the default token permissions. You could change the setting to 'Read and write permissions' globally, but that grants write access to all workflows. Instead, you add \`permissions: contents: write\` specifically to the job that creates the release. This grants only that job the necessary scope, following the principle of least privilege. The workflow now succeeds using the temporary \`GITHUB\_TOKEN\`, no PAT required.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T09:31:37.379237+00:00— report_created — created