Skip to content
Latchkey

GitHub Actions default GITHUB_TOKEN is read-only (cannot push)

When the repository or org default sets the workflow token to read-only, the built-in GITHUB_TOKEN cannot push. Pushing commits, tags, or branches requires contents: write.

What this error means

A git push step fails with a 403 or permission denied, despite using the built-in token, because the default token scope is read-only.

github-actions
remote: Permission to owner/repo.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/owner/repo/': The requested URL returned error: 403

Common causes

Default token read-only

A repo/org default of read-only blocks any write with GITHUB_TOKEN.

Missing contents: write grant

Pushing requires the contents: write permission to be granted.

How to fix it

Grant contents: write

  1. Add a permissions block with contents: write at workflow or job scope.
  2. Confirm org/repo settings allow workflows to be granted write.
  3. For cross-repo pushes, use a PAT or app token instead of GITHUB_TOKEN.
.github/workflows/ci.yml
permissions:
  contents: write
jobs:
  bump:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: |
          git commit -am "bump" && git push

How to prevent it

  • Grant the minimum write scope each job needs.
  • Use a PAT/app token for cross-repository writes.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →