Gitea Actions GITHUB_TOKEN / GITEA_TOKEN not available in CI
Gitea Actions injects an automatic token you reference as ${{ secrets.GITHUB_TOKEN }} (also exposed as GITEA_TOKEN). If a step reads a bare env var, or expects broader scope than the per-job token has, calls to the instance API fail with unauthorized.
What this error means
A step that pushes, comments, or calls the Gitea API fails with 401/403, or the token variable is empty because it was not read from the secrets context.
Error: Resource not accessible by integration
# or an empty token because the step used $GITHUB_TOKEN without:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}Common causes
The token is not referenced through the secrets context
A step reads a plain env var that was never set, instead of ${{ secrets.GITHUB_TOKEN }}, so it is empty.
The automatic token lacks the needed permission
The per-job token has limited scope; an operation beyond it returns not accessible / unauthorized.
How to fix it
Reference the token via the secrets context
- Set the env var from
${{ secrets.GITHUB_TOKEN }}(or GITEA_TOKEN). - Use that env var in the step that calls the API.
- Re-run and confirm the call authenticates.
steps:
- run: gitea-cli ...
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}Use a PAT for operations beyond the auto token
If the automatic token is too limited, store a personal access token as a secret and use it for that step.
env:
GITEA_TOKEN: ${{ secrets.CI_PAT }}How to prevent it
- Always inject the token from the secrets context, never assume it in env.
- Use the automatic token for in-repo actions; a PAT for cross-repo.
- Grant least privilege to any PAT you store.