GitHub Actions "GITHUB_TOKEN does not have write access" (fork)
On pull_request runs from a fork, GITHUB_TOKEN is read-only by design to protect the base repository from untrusted code. Write operations (push, comment, label) are denied. This is a security boundary, not a misconfiguration to retry.
What this error means
A workflow triggered by a fork pull_request fails any write action with a permission error, while the same workflow works on same-repo branches.
github-actions
Error: Resource not accessible by integration
GITHUB_TOKEN does not have write access to the repository (forked pull request).Common causes
Fork PR token is read-only
pull_request from a fork downgrades GITHUB_TOKEN to read-only so untrusted code cannot mutate the base repo.
Write step running on the fork event
A commenting/labeling/push step is placed in a job that runs on the fork-PR trigger.
How to fix it
Move write work to a trusted trigger
- Use pull_request_target (with great care, no untrusted checkout of PR code) for trusted write operations on fork PRs.
- Or split: run untrusted build on pull_request, and post results from a workflow_run-triggered job with default permissions.
- Never expose secrets to untrusted fork code.
.github/workflows/comment.yml
on:
workflow_run:
workflows: ["CI"]
types: [completed]
permissions:
pull-requests: writeHow to prevent it
- Keep write operations off the untrusted fork pull_request trigger.
- Use workflow_run or carefully scoped pull_request_target for trusted post-processing.
Related guides
GitHub Actions "pushing to protected branch with GITHUB_TOKEN"Fix the GitHub Actions error pushing to a protected branch with GITHUB_TOKEN - branch protection blocks the d…
GitHub Actions secret not available to fork pull_requestFix the GitHub Actions issue where secrets are empty for workflows triggered by pull_request from a fork, by…
GitHub Actions 403 while pushing with GITHUB_TOKENFix the GitHub Actions 403 error when pushing with the GITHUB_TOKEN, caused by a missing contents write scope…