GitHub Actions "Resource not accessible by integration" on a fork PR
For pull_request events from forks, GitHub issues a read-only GITHUB_TOKEN by design. Any write (commenting, labeling, pushing) fails with "Resource not accessible by integration".
What this error means
A step that comments on or labels a PR fails with "Resource not accessible by integration", but only on PRs opened from forks - same workflow works on same-repo branches.
github-actions
RequestError [HttpError]: Resource not accessible by integration
status: 403Common causes
Read-only token on fork PRs
pull_request from a fork deliberately gets a read-only token, so write API calls are forbidden.
Write attempted in the untrusted context
A commenting/labeling step ran in the fork-triggered pull_request workflow, which cannot write.
How to fix it
Move writes to a trusted trigger
- Do read-only build/test in the pull_request workflow.
- Handle write-back (comments, labels) in a pull_request_target or workflow_run workflow that does not check out untrusted code.
- Keep secrets and writes out of the fork-triggered context.
.github/workflows/comment.yml
on:
workflow_run:
workflows: ["CI"]
types: [completed]
permissions:
pull-requests: writeHow to prevent it
- Assume fork PR tokens are read-only.
- Split untrusted build from privileged write-back.
- Never expose secrets to fork-triggered pull_request runs.
Related guides
GitHub Actions "Resource not accessible by integration" - Fix GITHUB_TOKEN ScopeFix GitHub Actions "Resource not accessible by integration" - the GITHUB_TOKEN lacks the permission for the A…
GitHub Actions Fork PR Workflow Cannot Comment or Push (Read-Only Token)Fix GitHub Actions fork pull-request runs that cannot comment, label, or push - pull_request from a fork alwa…
GitHub Actions pull_request_target Checks Out Untrusted Fork CodeFix the GitHub Actions pull_request_target security pitfall - it runs with write permissions and secrets, so…