GitHub Actions "Unexpected value 'permissions'" (job vs workflow level)
permissions is valid at workflow top level and at job level, but not inside steps or under arbitrary keys. Misplacing it, or using an invalid scope/structure, yields an Unexpected value permissions error.
What this error means
The workflow is invalid at parse time pointing at a permissions key, usually because it was nested incorrectly or malformed.
github-actions
Invalid workflow file: .github/workflows/ci.yml#L12
Unexpected value 'permissions'Common causes
permissions in an invalid location
Placing permissions under steps or a non-job key is not allowed.
Invalid scope or structure
An unknown permission scope or wrong mapping shape is rejected.
How to fix it
Place permissions at workflow or job level
- Put permissions at the top level for all jobs, or under a specific job.
- Use valid scopes (contents, issues, pull-requests, packages, id-token, etc.).
- Write it as a mapping of scope: read|write|none.
.github/workflows/ci.yml
permissions:
contents: read
jobs:
deploy:
permissions:
contents: write
id-token: write
runs-on: ubuntu-latest
steps:
- run: echo okHow to prevent it
- Keep permissions only at workflow or job scope.
- Validate scope names against the documented permission set.
Related guides
GitHub Actions default GITHUB_TOKEN is read-only (cannot push)Fix a GitHub Actions push that is denied - the default GITHUB_TOKEN is read-only and needs contents: write to…
GitHub Actions "Resource not accessible by integration" (issues: write missing)Fix "Resource not accessible by integration" when commenting on issues/PRs - the GITHUB_TOKEN lacks issues: w…
GitHub Actions reusable workflow secret not inheritedFix a GitHub Actions reusable workflow whose secrets are empty - secrets must be passed explicitly or with se…