semantic-release "EGITNOPERMISSION" cannot push to the repository in CI
semantic-release verified its configuration and found the authentication token cannot push to the repository. It needs write access to create the tag, commit release assets, and update the branch, and the token it was given does not have it.
What this error means
The "Verify Conditions" step fails immediately with "EGITNOPERMISSION" before any analysis, stating the push permission to the Git repository is required.
[semantic-release] > EGITNOPERMISSION The push permission to the Git repository is required.
The user associated with the provided GitHub token (via the GH_TOKEN or GITHUB_TOKEN
environment variable) does not have the permission to push on the repository owner/repo.Common causes
The default GITHUB_TOKEN lacks contents write
The workflow did not grant contents: write, so the automatic GITHUB_TOKEN is read-only and cannot push the release commit or tag.
A read-scoped PAT was supplied
The GH_TOKEN in CI is a personal access token without repo/contents write scope, so semantic-release is authenticated but not authorized to push.
How to fix it
Grant contents: write to the job
- Add a
permissionsblock that gives the workflow contents write. - Pass the token into the semantic-release step as
GITHUB_TOKEN. - Re-run so the "Verify Conditions" step can confirm push access.
permissions:
contents: write
issues: write
pull-requests: writeUse a PAT or GitHub App token with write scope
If a protected branch or org policy blocks the default token, supply a PAT or GitHub App installation token that has repository write access.
- run: npx semantic-release
env:
GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}How to prevent it
- Declare
permissions: contents: writein every release workflow. - Prefer a GitHub App token over a personal PAT for durable write access.
- Verify the token principal has push rights before wiring it into CI.