GitHub Actions "Resource not accessible by integration" - Fix GITHUB_TOKEN Scope
The built-in GITHUB_TOKEN does not have the permission needed for an API call your workflow made. Modern repositories default the token to read-only, so writes fail unless you grant them.
What this error means
A step that calls the GitHub API (creating a comment, pushing a tag, opening a release) fails with a 403 and "Resource not accessible by integration". Read calls work; writes are denied.
RequestError [HttpError]: Resource not accessible by integration
status: 403
request to POST /repos/org/repo/issues/42/commentsCommon causes
Token defaults to read-only
GitHub now defaults the workflow GITHUB_TOKEN to read-only permissions. Any write (issues, contents, packages, pull-requests) is denied unless explicitly granted.
Missing the specific permission scope
Even with broader defaults, the token needs the exact scope for the resource - for example pull-requests: write to comment on a PR, or contents: write to push.
How to fix it
Grant the needed permissions scope
Add a permissions block at the workflow or job level requesting only the scopes you need.
permissions:
contents: write
pull-requests: write
jobs:
comment:
runs-on: ubuntu-latest
steps:
- run: gh pr comment 42 --body "done"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}Check org/repo default token settings
- In Settings > Actions > General, confirm whether the default token is read-only or read/write.
- Prefer the least-privilege permissions block over a broad default.
- For cross-repo writes, use a PAT or GitHub App token; the GITHUB_TOKEN is scoped to the current repo.
How to prevent it
- Declare an explicit, least-privilege permissions block in every workflow.
- Grant write scopes only on the jobs that need them.
- Use a GitHub App or fine-grained PAT for actions outside the current repo.