GitHub Actions default GITHUB_TOKEN permissions cause a 403
Your repo or org sets the default GITHUB_TOKEN to read-only, so any write the workflow attempts returns 403. This is a settings issue, not transient.
What this error means
Write operations fail with 403 across the workflow because the default token permissions are read-only and the workflow grants nothing extra.
github-actions
RequestError [HttpError]: Resource not accessible by integration
status: 403
# default workflow permissions are set to read-onlyCommon causes
Org or repo default is read-only
The "Workflow permissions" setting defaults the token to read, blocking writes.
No per-workflow permissions override
Without an explicit permissions block granting write, the read-only default stands.
How to fix it
Grant write where needed, keep defaults strict
- Keep the org default read-only for safety.
- Add an explicit permissions block granting only the write scopes a workflow needs.
.github/workflows/ci.yml
permissions:
contents: write
pull-requests: writeHow to prevent it
- Set the org-wide default to read-only and grant writes per workflow.
- Audit workflows to ensure each declares the scopes it relies on.
Related guides
GitHub Actions "Resource not accessible by integration"Fix the GitHub Actions "Resource not accessible by integration" 403 caused by the GITHUB_TOKEN lacking the pe…
GitHub Actions workflow does not contain permissions (default token)Fix the GitHub Actions warning that a workflow does not specify permissions and falls back to the repository…
GitHub Actions 403 while pushing with GITHUB_TOKENFix the GitHub Actions 403 error when pushing with the GITHUB_TOKEN, caused by a missing contents write scope…