GitHub Actions "refusing to allow a GitHub App to create or update workflow"
A push that touches .github/workflows was rejected because the GITHUB_TOKEN or App installation lacks the workflows write permission. Retrying will not help.
What this error means
A git push from a workflow fails with a message that the App is refused permission to create or update workflow files.
github-actions
! [remote rejected] HEAD -> main (refusing to allow a GitHub App to create or update workflow '.github/workflows/ci.yml' without 'workflows' permission)Common causes
Token lacks workflows scope
The default GITHUB_TOKEN cannot modify workflow files; this requires the workflows permission an App may not have.
Pushing workflow changes from CI
Any automated change to files under .github/workflows is gated behind the workflows permission.
How to fix it
Use a token with the workflows permission
- Use a PAT or App installation token that has the workflows permission.
- Or exclude workflow file changes from automated pushes.
.github/workflows/ci.yml
- uses: actions/checkout@v4
with:
token: ${{ secrets.WORKFLOWS_PAT }}How to prevent it
- Keep automated commits out of .github/workflows when possible.
- Provision a dedicated token with the workflows permission for that use case.
Related guides
GitHub Actions 403 while pushing with GITHUB_TOKENFix the GitHub Actions 403 error when pushing with the GITHUB_TOKEN, caused by a missing contents write scope…
GitHub Actions GITHUB_TOKEN cannot trigger another workflowFix the GitHub Actions behavior where events created with the default GITHUB_TOKEN do not trigger further wor…
GitHub Actions "Resource not accessible by integration"Fix the GitHub Actions "Resource not accessible by integration" 403 caused by the GITHUB_TOKEN lacking the pe…