GitHub Actions checkout persisted credentials push 403
actions/checkout persists the GITHUB_TOKEN for later git commands. If that token is read-only, a push fails with 403. Retrying will not change the token scope.
What this error means
A push after checkout fails with 403 even though credentials are persisted, because the persisted token lacks contents write.
github-actions
remote: Permission to octo/repo.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/octo/repo/': The requested URL returned error: 403Common causes
Persisted token is read-only
checkout persists whatever token it used; if permissions are read-only, the push is denied.
Fork run token
On fork PRs the persisted token cannot push to the base repository.
How to fix it
Grant write or persist a stronger token
- Add permissions: contents: write so the persisted token can push.
- Or check out with a PAT that has write access.
.github/workflows/ci.yml
permissions:
contents: write
steps:
- uses: actions/checkout@v4How to prevent it
- Set contents: write only on jobs that push.
- Do not rely on the persisted token for pushes from fork PRs.
Related guides
GitHub Actions 403 while pushing with GITHUB_TOKENFix the GitHub Actions 403 error when pushing with the GITHUB_TOKEN, caused by a missing contents write scope…
GitHub Actions "Permission to X denied to github-actions[bot]"Fix the GitHub Actions error where a push is denied to github-actions[bot] because the GITHUB_TOKEN lacks con…
GitHub Actions "could not read Username" (token not passed to git)Fix the GitHub Actions "could not read Username for https://github.com" error caused by a git operation runni…