GitHub Actions github-script "Resource not accessible by integration"
A github-script (or any GITHUB_TOKEN API call) fails with "Resource not accessible by integration" because the workflow token is read-only by default, or lacks the specific write scope the API call requires.
What this error means
An API call that creates a comment, label, review, or commit fails with HttpError "Resource not accessible by integration", even though the script is correct - the token simply is not allowed to perform that write.
RequestError [HttpError]: Resource not accessible by integration
status: 403
# github.rest.issues.createComment needs issues: writeCommon causes
Default token is read-only or under-scoped
On many repos the default GITHUB_TOKEN has read-only permissions, or only the scopes you granted. A write API call (comment, label, dispatch) fails without the matching write scope.
Forked-PR token is always read-only
For pull_request runs from forks, the token is read-only regardless of the permissions: block, so write calls are denied by design.
How to fix it
Grant the exact write scope
Add a permissions: block (job- or workflow-level) granting only what the API calls need.
permissions:
issues: write # for createComment / addLabels
pull-requests: write # for review / PR comments
jobs:
comment:
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@v7
with:
script: |
await github.rest.issues.createComment({ ...context.repo, issue_number: context.issue.number, body: 'hi' });Handle fork PRs separately
- For untrusted fork PRs, use pull_request_target (carefully) or a labeled re-run with elevated permissions.
- Never expose write tokens to code from a fork in a pull_request run.
- Grant the minimum scopes; do not use permissions: write-all.
How to prevent it
- Declare a least-privilege permissions: block for tokens that write.
- Remember fork-PR tokens are read-only by design.
- Map each API call to its required scope and grant only those.