GitHub Actions "refusing to allow a GitHub App to create or update workflow"
Pushing changes to files under .github/workflows requires the workflows permission. The default GITHUB_TOKEN and many app/PAT scopes cannot create or update workflow files without it.
What this error means
A push that touches a workflow file is rejected with a message about refusing to allow a GitHub App (or token without workflow scope) to update workflows.
github-actions
! [remote rejected] HEAD -> main (refusing to allow a GitHub App to create or update workflow '.github/workflows/ci.yml' without 'workflows' permission)Common causes
Token lacks workflows permission
GITHUB_TOKEN and many tokens cannot modify workflow files by default.
PAT missing the workflow scope
A classic PAT needs the workflow scope to push workflow changes.
How to fix it
Use a token with workflow permission
- For a PAT, include the workflow scope.
- For a GitHub App, grant the Workflows write permission and re-install.
- Use that token for the checkout/push that edits workflow files.
.github/workflows/ci.yml
- uses: actions/checkout@v4
with:
token: ${{ secrets.WORKFLOW_PAT }} # PAT with 'workflow' scopeHow to prevent it
- Use a workflow-scoped token specifically for automation that edits workflows.
- Keep app permissions least-privilege but include Workflows write where required.
Related guides
GitHub Actions default GITHUB_TOKEN is read-only (cannot push)Fix a GitHub Actions push that is denied - the default GITHUB_TOKEN is read-only and needs contents: write to…
GitHub Actions "Workflow file changed during run"Fix a GitHub Actions run that fails because the workflow file changed while it was executing - runs are pinne…
GitHub Actions "Unexpected value 'permissions'" (job vs workflow level)Fix "Unexpected value permissions" in GitHub Actions - the permissions key was placed at the wrong level or w…