GitHub Actions cannot set permissions inside a composite action
GITHUB_TOKEN permissions are controlled by the workflow or job that runs the action, not by the action itself. A composite action cannot declare a permissions key - it inherits whatever the calling job grants.
What this error means
A composite action.yml with a permissions key fails validation, or the permissions are silently ignored.
github-actions
# action.yml (composite) - invalid
runs:
using: composite
permissions:
contents: write # not a valid key for a composite actionCommon causes
permissions is a workflow/job concept
Token scopes are set by the consumer; actions run under the caller’s granted permissions.
Expecting an action to elevate its own token
An action cannot grant itself more than the job provides.
How to fix it
Set permissions in the calling job
- Declare the needed permissions in the workflow or job that uses the composite action.
- Remove the permissions key from action.yml.
.github/workflows/ci.yml
# calling workflow
jobs:
run:
permissions:
contents: write
steps:
- uses: ./my-composite-actionDocument required permissions in the action README
- State which token scopes the action needs so consumers grant them.
- Fail early in the action if a required permission is missing.
How to prevent it
- Grant token scopes at the job/workflow level, not in actions.
- Document an action’s required permissions for its callers.
Related guides
GitHub Actions GITHUB_TOKEN Read-Only by Default - Write Calls 403Fix GitHub Actions 403s when the repo default GITHUB_TOKEN permission is read-only - set workflow permissions…
GitHub Actions GITHUB_TOKEN permissions reset to read-only by default policyFix write operations failing with 403 because the org/repo default GITHUB_TOKEN permission is read-only.
GitHub Actions Composite Action "Unexpected input" / Input Not FoundFix composite action input errors - undeclared inputs, the shell missing from a run step, or referencing inpu…