Early access Faultline Teams — organizational memory for recurring CI failures across repos

GitHub Actions GITHUB_TOKEN permission denied

The `GITHUB_TOKEN` used by this workflow does not have the permissions required for the requested GitHub operation.

github-actions-permission high confidence ci github-actions

Matched signals

  • HttpError: Resource not accessible by integration
  • Error: HttpError: Resource not accessible by integration
  • GraphQL: Resource not accessible by integration
  • Permission denied to github-actions\[bot\]
  • requires the 'contents: write' permission
  • Missing permissions
  • insufficient permission
  • refusing to allow a GitHub App to create or update file

GitHub Actions GITHUB_TOKEN permission denied

What this failure means

The GITHUB_TOKEN used by this workflow does not have the permissions required for the requested GitHub operation.

Symptoms

Faultline looks for one or more of these log fragments:

HttpError: Resource not accessible by integration
Error: HttpError: Resource not accessible by integration
GraphQL: Resource not accessible by integration
Permission denied to github-actions\[bot\]
requires the 'contents: write' permission
Missing permissions
insufficient permission
refusing to allow a GitHub App to create or update file

Diagnosis

The GITHUB_TOKEN used by this workflow does not have the permissions required for the requested GitHub operation.

Fix steps

  1. Add an explicit permissions block to the workflow or failing job and grant only the scopes that step actually needs.
  2. Check the exact action or API call that failed and map it to the required permission such as contents: write, packages: write, pull-requests: write, or id-token: write.
  3. For organization-owned repositories, confirm the repository or org-level Actions settings do not force a more restrictive default token policy.
  4. If a third-party action is making the request, review its README for the minimum required permission scopes.

Validation

  • Re-run the job and confirm the Resource not accessible by integration or permission error is gone.
  • Verify the workflow’s permissions: block is present in the committed YAML.

Why it matters

GitHub Actions uses a scoped workflow token. Many workflows default to read-only permissions, so release, package publish, PR write, and file update steps fail unless the workflow declares the required scopes explicitly.

Prevention

  • Declare permissions: explicitly on every workflow instead of relying on platform defaults.
  • Keep write-capable steps isolated in dedicated jobs so elevated scopes stay narrow.
  • Review third-party actions for required token scopes before adding them to critical workflows.

Try it locally

grep -R "^permissions:" .github/workflows

How Faultline detects it

Use faultline explain github-actions-permission to see the full playbook.

faultline analyze build.log
faultline explain github-actions-permission

Generated from playbooks/bundled/log/ci/github-actions-permission.yaml. Do not edit directly.

Try it on your own failed log

$ faultline analyze failed.log
Install Faultline CLI View on GitHub
Want this across every CI run? Faultline Teams tracks recurring failures across all your repos and surfaces patterns in a shared dashboard.