Skip to content
Latchkey

GitHub Actions "GITHUB_TOKEN does not have write access" (fork)

On pull_request runs from a fork, GITHUB_TOKEN is read-only by design to protect the base repository from untrusted code. Write operations (push, comment, label) are denied. This is a security boundary, not a misconfiguration to retry.

What this error means

A workflow triggered by a fork pull_request fails any write action with a permission error, while the same workflow works on same-repo branches.

github-actions
Error: Resource not accessible by integration
GITHUB_TOKEN does not have write access to the repository (forked pull request).

Common causes

Fork PR token is read-only

pull_request from a fork downgrades GITHUB_TOKEN to read-only so untrusted code cannot mutate the base repo.

Write step running on the fork event

A commenting/labeling/push step is placed in a job that runs on the fork-PR trigger.

How to fix it

Move write work to a trusted trigger

  1. Use pull_request_target (with great care, no untrusted checkout of PR code) for trusted write operations on fork PRs.
  2. Or split: run untrusted build on pull_request, and post results from a workflow_run-triggered job with default permissions.
  3. Never expose secrets to untrusted fork code.
.github/workflows/comment.yml
on:
  workflow_run:
    workflows: ["CI"]
    types: [completed]
permissions:
  pull-requests: write

How to prevent it

  • Keep write operations off the untrusted fork pull_request trigger.
  • Use workflow_run or carefully scoped pull_request_target for trusted post-processing.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →