Skip to content
Latchkey

Git GITHUB_TOKEN "permission to ... denied" on push in CI

The automatic GITHUB_TOKEN defaults to limited permissions. A workflow that pushes commits or tags needs contents: write, otherwise the push is rejected with a 403 even though the token is valid.

What this error means

A push from an Actions job fails with remote: Permission to org/repo.git denied to github-actions[bot] and HTTP 403. Read operations succeed; only the push fails.

git
remote: Permission to org/repo.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/org/repo.git/': The requested URL returned error: 403

Common causes

Default token is read-only for contents

Repos or orgs with the restricted default permission give GITHUB_TOKEN read access, which cannot push.

Workflow does not request write permission

Without a permissions block granting contents: write, the job token cannot push commits or tags.

Branch protection blocks the bot

A protected branch requiring reviews or status checks rejects a direct push from the Actions bot.

How to fix it

Grant write permission to the job

  1. Add a permissions block requesting contents: write.
  2. Keep the rest least-privilege.
.github/workflows/release.yml
permissions:
  contents: write

jobs:
  release:
    runs-on: ubuntu-latest

Use a dedicated token for protected branches

  1. Push with a PAT or App token that is allowed to bypass branch protection where appropriate.
  2. Or target an unprotected branch and open a PR.

How to prevent it

  • Declare an explicit permissions block on workflows that push, granting only contents: write, and use a scoped App token for pushes to protected branches. This is a permissions issue, not transient, so a retry will not help.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →