Report #97798
[bug\_fix] GitHub Actions job fails with 'Resource not accessible by integration' or a GraphQL permission error when creating a release, posting a PR comment, pushing a tag, or updating a workflow file, even though the same code worked in an older repository.
Add an explicit \`permissions\` block at the workflow or job level that grants the minimum required scopes for the operation \(for example \`contents: write\` to create releases or push tags, \`pull-requests: write\` to comment/label PRs, \`actions: write\` to cancel runs or update workflow-related refs, and \`id-token: write\` for OIDC\). When any permission is specified, unspecified permissions default to \`none\`, so every needed scope must be listed.
Journey Context:
A release workflow that had been copied from an older repo suddenly started failing at the 'Create GitHub Release' step with 'Resource not accessible by integration'. The logs showed the POST to the releases API returned 403. I checked the 'Setup Job' logs and saw the GITHUB\_TOKEN only had \`Contents: read\` and \`Metadata: read\`. That was the smoking gun: in February 2023 GitHub changed the default token permissions for new organizations and repositories to read-only, while older repos kept read/write. Because the workflow had no explicit \`permissions\` block, it inherited the restrictive default. I added \`permissions: contents: write\` to the release job and re-ran; the release was created immediately. The same pattern repeats for PR-commenting bots, labelers, and any workflow that mutates repository state: the fix is always to declare the required scopes rather than relying on repository defaults.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-26T04:43:04.550915+00:00— report_created — created