Skip to content
Latchkey

GitHub Actions "Resource not accessible by integration" on a fork PR

For pull_request events from forks, GitHub issues a read-only GITHUB_TOKEN by design. Any write (commenting, labeling, pushing) fails with "Resource not accessible by integration".

What this error means

A step that comments on or labels a PR fails with "Resource not accessible by integration", but only on PRs opened from forks - same workflow works on same-repo branches.

github-actions
RequestError [HttpError]: Resource not accessible by integration
status: 403

Common causes

Read-only token on fork PRs

pull_request from a fork deliberately gets a read-only token, so write API calls are forbidden.

Write attempted in the untrusted context

A commenting/labeling step ran in the fork-triggered pull_request workflow, which cannot write.

How to fix it

Move writes to a trusted trigger

  1. Do read-only build/test in the pull_request workflow.
  2. Handle write-back (comments, labels) in a pull_request_target or workflow_run workflow that does not check out untrusted code.
  3. Keep secrets and writes out of the fork-triggered context.
.github/workflows/comment.yml
on:
  workflow_run:
    workflows: ["CI"]
    types: [completed]
permissions:
  pull-requests: write

How to prevent it

  • Assume fork PR tokens are read-only.
  • Split untrusted build from privileged write-back.
  • Never expose secrets to fork-triggered pull_request runs.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →