Skip to content
Latchkey

GitHub Actions "permissions must list valid scopes"

The permissions block only accepts known scope keys (contents, packages, id-token, pages, deployments, and so on) with values read, write, or none. A typo in the scope name or value fails workflow validation.

What this error means

The workflow is invalid because a permissions entry uses an unrecognized scope key or a value other than read/write/none.

github-actions
Invalid workflow file: .github/workflows/deploy.yml#L5
Unexpected value 'package-write'. Valid permission values are 'read', 'write', 'none'.

Common causes

Misspelled scope key

A scope like package instead of packages, or a made-up scope, is not recognized.

Invalid permission value

The value is not one of read, write, or none.

How to fix it

Use valid scope keys and values

  1. Correct the scope key to a known permission (contents, packages, id-token, pages, deployments, etc.).
  2. Set the value to read, write, or none.
  3. Validate the workflow after editing.
.github/workflows/deploy.yml
permissions:
  contents: read
  packages: write
  id-token: write

How to prevent it

  • Reference the documented permission scope names and only use read/write/none values.
  • Lint workflow files to catch invalid permission entries early.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →