GitHub Actions default GITHUB_TOKEN is read-only (cannot push)
When the repository or org default sets the workflow token to read-only, the built-in GITHUB_TOKEN cannot push. Pushing commits, tags, or branches requires contents: write.
What this error means
A git push step fails with a 403 or permission denied, despite using the built-in token, because the default token scope is read-only.
github-actions
remote: Permission to owner/repo.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/owner/repo/': The requested URL returned error: 403Common causes
Default token read-only
A repo/org default of read-only blocks any write with GITHUB_TOKEN.
Missing contents: write grant
Pushing requires the contents: write permission to be granted.
How to fix it
Grant contents: write
- Add a permissions block with contents: write at workflow or job scope.
- Confirm org/repo settings allow workflows to be granted write.
- For cross-repo pushes, use a PAT or app token instead of GITHUB_TOKEN.
.github/workflows/ci.yml
permissions:
contents: write
jobs:
bump:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: |
git commit -am "bump" && git pushHow to prevent it
- Grant the minimum write scope each job needs.
- Use a PAT/app token for cross-repository writes.
Related guides
GitHub Actions "Resource not accessible by integration" (issues: write missing)Fix "Resource not accessible by integration" when commenting on issues/PRs - the GITHUB_TOKEN lacks issues: w…
GitHub Actions "HTTP 422: Reference does not exist" (create release)Fix "HTTP 422 Reference does not exist" creating a release - the target tag or commit ref is not present in t…
GitHub Actions "Unexpected value 'permissions'" (job vs workflow level)Fix "Unexpected value permissions" in GitHub Actions - the permissions key was placed at the wrong level or w…