GitHub Actions "top-level permissions must be a mapping"
The permissions key accepts either a mapping of scope to access level, or the shorthand read-all / write-all. Any other value (a bare list, a string, an unknown token) fails validation.
What this error means
The workflow fails to start with "permissions must be a mapping" because permissions was written as a list, an arbitrary string, or a malformed structure.
github-actions
Error: top-level permissions must be a mappingCommon causes
permissions given as a list or string
permissions was written as a YAML list or a non-shorthand string instead of a scope:level mapping.
Typo in the shorthand
A misspelled shorthand (read_all instead of read-all) is not recognized as the valid form.
How to fix it
Use a valid permissions mapping or shorthand
- Write permissions as scope: level pairs.
- Or use the supported shorthand read-all / write-all.
- Set the minimum scopes the workflow actually needs.
.github/workflows/ci.yml
permissions:
contents: read
pull-requests: writeHow to prevent it
- Always express permissions as a scope:level mapping.
- Use only the documented read-all / write-all shorthands.
- Lint workflows so malformed permissions are caught.
Related guides
GitHub Actions workflow does not contain permissions (default token)Fix the GitHub Actions warning that a workflow does not specify permissions and falls back to the repository…
GitHub Actions default GITHUB_TOKEN permissions cause a 403Fix the GitHub Actions 403 caused by the repository or org default GITHUB_TOKEN being read-only, so write API…
GitHub Actions GITHUB_TOKEN Read-Only by Default - Write Calls 403Fix GitHub Actions 403s when the repo default GITHUB_TOKEN permission is read-only - set workflow permissions…