Skip to content
Latchkey

GitHub Actions "Permission denied to github-actions[bot]" Pushing to Repo

A git push from the workflow was rejected with a 403 because the GITHUB_TOKEN lacks contents: write, or a branch protection rule blocks the github-actions[bot] from pushing to that branch.

What this error means

A step that runs git push (for example committing a version bump or generated files) fails with a 403 and "Permission denied to github-actions[bot]". The checkout and local commit succeed; only the push is denied.

Actions log
remote: Permission to org/repo.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/org/repo/':
The requested URL returned error: 403

Common causes

Token lacks contents: write

With a read-only default token, the push is rejected. The workflow needs contents: write to push commits.

Branch protection blocks the bot

A protected branch requiring reviews or restricting who can push will reject the github-actions[bot] unless it is allowed to bypass the rules.

How to fix it

Grant contents: write

.github/workflows/ci.yml
permissions:
  contents: write
steps:
  - uses: actions/checkout@v4
  - run: |
      git config user.name "github-actions[bot]"
      git commit -am "chore: bump version"
      git push

Allow the push past branch protection

  1. Push to a non-protected branch and open a PR instead of pushing to the protected branch.
  2. Or add an allowance/bypass for github-actions[bot] in the branch protection rule.
  3. For workflows that must commit to protected branches, use a GitHub App token with the right access.

How to prevent it

  • Grant contents: write only on jobs that push.
  • Prefer opening a PR over pushing directly to protected branches.
  • Use a dedicated App token when bot pushes to protected branches are required.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →