GitHub Actions "Permission denied to github-actions[bot]" Pushing to Repo
A git push from the workflow was rejected with a 403 because the GITHUB_TOKEN lacks contents: write, or a branch protection rule blocks the github-actions[bot] from pushing to that branch.
What this error means
A step that runs git push (for example committing a version bump or generated files) fails with a 403 and "Permission denied to github-actions[bot]". The checkout and local commit succeed; only the push is denied.
Actions log
remote: Permission to org/repo.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/org/repo/':
The requested URL returned error: 403Common causes
Token lacks contents: write
With a read-only default token, the push is rejected. The workflow needs contents: write to push commits.
Branch protection blocks the bot
A protected branch requiring reviews or restricting who can push will reject the github-actions[bot] unless it is allowed to bypass the rules.
How to fix it
Grant contents: write
.github/workflows/ci.yml
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- run: |
git config user.name "github-actions[bot]"
git commit -am "chore: bump version"
git pushAllow the push past branch protection
- Push to a non-protected branch and open a PR instead of pushing to the protected branch.
- Or add an allowance/bypass for github-actions[bot] in the branch protection rule.
- For workflows that must commit to protected branches, use a GitHub App token with the right access.
How to prevent it
- Grant contents: write only on jobs that push.
- Prefer opening a PR over pushing directly to protected branches.
- Use a dedicated App token when bot pushes to protected branches are required.
Related guides
GitHub Actions "Resource not accessible by integration" - Fix GITHUB_TOKEN ScopeFix GitHub Actions "Resource not accessible by integration" - the GITHUB_TOKEN lacks the permission for the A…
GitHub Actions OIDC "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL"Fix GitHub Actions OIDC "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL" - the job is missing id-token: write, ne…