Skip to content
Latchkey

GitHub Actions checkout persisted credentials push 403

actions/checkout persists the GITHUB_TOKEN for later git commands. If that token is read-only, a push fails with 403. Retrying will not change the token scope.

What this error means

A push after checkout fails with 403 even though credentials are persisted, because the persisted token lacks contents write.

github-actions
remote: Permission to octo/repo.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/octo/repo/': The requested URL returned error: 403

Common causes

Persisted token is read-only

checkout persists whatever token it used; if permissions are read-only, the push is denied.

Fork run token

On fork PRs the persisted token cannot push to the base repository.

How to fix it

Grant write or persist a stronger token

  1. Add permissions: contents: write so the persisted token can push.
  2. Or check out with a PAT that has write access.
.github/workflows/ci.yml
permissions:
  contents: write
steps:
  - uses: actions/checkout@v4

How to prevent it

  • Set contents: write only on jobs that push.
  • Do not rely on the persisted token for pushes from fork PRs.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →