Skip to content
Latchkey

GitHub Actions github-script "Resource not accessible by integration"

A github-script (or any GITHUB_TOKEN API call) fails with "Resource not accessible by integration" because the workflow token is read-only by default, or lacks the specific write scope the API call requires.

What this error means

An API call that creates a comment, label, review, or commit fails with HttpError "Resource not accessible by integration", even though the script is correct - the token simply is not allowed to perform that write.

Actions log
RequestError [HttpError]: Resource not accessible by integration
    status: 403
# github.rest.issues.createComment needs issues: write

Common causes

Default token is read-only or under-scoped

On many repos the default GITHUB_TOKEN has read-only permissions, or only the scopes you granted. A write API call (comment, label, dispatch) fails without the matching write scope.

Forked-PR token is always read-only

For pull_request runs from forks, the token is read-only regardless of the permissions: block, so write calls are denied by design.

How to fix it

Grant the exact write scope

Add a permissions: block (job- or workflow-level) granting only what the API calls need.

.github/workflows/ci.yml
permissions:
  issues: write          # for createComment / addLabels
  pull-requests: write   # for review / PR comments
jobs:
  comment:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/github-script@v7
        with:
          script: |
            await github.rest.issues.createComment({ ...context.repo, issue_number: context.issue.number, body: 'hi' });

Handle fork PRs separately

  1. For untrusted fork PRs, use pull_request_target (carefully) or a labeled re-run with elevated permissions.
  2. Never expose write tokens to code from a fork in a pull_request run.
  3. Grant the minimum scopes; do not use permissions: write-all.

How to prevent it

  • Declare a least-privilege permissions: block for tokens that write.
  • Remember fork-PR tokens are read-only by design.
  • Map each API call to its required scope and grant only those.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →