Skip to content
Latchkey

GitHub Actions default GITHUB_TOKEN permissions cause a 403

Your repo or org sets the default GITHUB_TOKEN to read-only, so any write the workflow attempts returns 403. This is a settings issue, not transient.

What this error means

Write operations fail with 403 across the workflow because the default token permissions are read-only and the workflow grants nothing extra.

github-actions
RequestError [HttpError]: Resource not accessible by integration
  status: 403
# default workflow permissions are set to read-only

Common causes

Org or repo default is read-only

The "Workflow permissions" setting defaults the token to read, blocking writes.

No per-workflow permissions override

Without an explicit permissions block granting write, the read-only default stands.

How to fix it

Grant write where needed, keep defaults strict

  1. Keep the org default read-only for safety.
  2. Add an explicit permissions block granting only the write scopes a workflow needs.
.github/workflows/ci.yml
permissions:
  contents: write
  pull-requests: write

How to prevent it

  • Set the org-wide default to read-only and grant writes per workflow.
  • Audit workflows to ensure each declares the scopes it relies on.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →