GitHub Actions "permissions must list valid scopes"
The permissions block only accepts known scope keys (contents, packages, id-token, pages, deployments, and so on) with values read, write, or none. A typo in the scope name or value fails workflow validation.
What this error means
The workflow is invalid because a permissions entry uses an unrecognized scope key or a value other than read/write/none.
github-actions
Invalid workflow file: .github/workflows/deploy.yml#L5
Unexpected value 'package-write'. Valid permission values are 'read', 'write', 'none'.Common causes
Misspelled scope key
A scope like package instead of packages, or a made-up scope, is not recognized.
Invalid permission value
The value is not one of read, write, or none.
How to fix it
Use valid scope keys and values
- Correct the scope key to a known permission (contents, packages, id-token, pages, deployments, etc.).
- Set the value to read, write, or none.
- Validate the workflow after editing.
.github/workflows/deploy.yml
permissions:
contents: read
packages: write
id-token: writeHow to prevent it
- Reference the documented permission scope names and only use read/write/none values.
- Lint workflow files to catch invalid permission entries early.
Related guides
GitHub Actions "ghcr.io push denied" (packages: write)Fix the GitHub Actions error pushing an image to ghcr.io - the job is missing packages: write or the login to…
GitHub Actions composite action "using: node20 required"Fix the GitHub Actions error where an action.yml runs section is missing or has an invalid using value such a…
GitHub Actions Pages "pages: write permission denied"Fix the GitHub Actions Pages permission error where the deploy job is denied because pages: write is not gran…