Skip to content
Latchkey

GITHUB_TOKEN read-only on fork pull_request cannot comment in CI

For a pull_request triggered by a fork, GitHub issues a read-only GITHUB_TOKEN even if the workflow declares write scopes. This protects against untrusted code, so any write API call from that run is denied.

What this error means

A workflow that comments or labels works on same-repo PRs but returns 403 "Resource not accessible by integration" on PRs opened from forks.

Terminal
# event: pull_request from a fork
HttpError: Resource not accessible by integration
status: 403

Common causes

Forked pull_request tokens are read-only

GitHub downgrades GITHUB_TOKEN to read-only for fork PRs regardless of the permissions block, by design.

The write step runs in the untrusted context

The commenting/labeling step runs in the pull_request run that carries the read-only token.

How to fix it

Move writes to a trusted follow-up workflow

  1. Have the pull_request workflow upload data as an artifact.
  2. Use a separate workflow_run workflow that runs in the base repo context with write scope.
  3. Perform the comment/label there.
.github/workflows/ci.yml
on:
  workflow_run:
    workflows: ["PR checks"]
    types: [completed]
permissions:
  pull-requests: write

Use pull_request_target with care

pull_request_target runs in the base context with a writable token; never check out and execute untrusted PR code in it.

.github/workflows/ci.yml
on: pull_request_target
permissions:
  pull-requests: write

How to prevent it

  • Assume a read-only token on fork pull_request events.
  • Use workflow_run or a guarded pull_request_target for writes.
  • Never run untrusted code with a writable token.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →