Permission denied to github-actions[bot] even though PAT has permission

Hey all, I have an action where I am trying to push a change to the same repo. I am authenticating via personal access token (PAT).

For some reason on this repo, the action fails with:

Permission to nickderobertis/flexlate-dev-semantic-release-example.git denied to github-actions[bot]

I added some debugging to show the authentication state of the PAT. gh auth status shows I am properly logged in and a curl to Github’s API shows my PAT has the following permissions:

admin:org
admin:org_hook
admin:repo_hook
delete:packages
delete_repo
gist
read:user
repo
user:email
workflow
write:permissions

Also ls-remote is working fine on the repo so it seems to be a write access problem.

Meanwhile, on other repos, I have been able use the same code just fine. I previously had provided the same PAT to both repos, but I have also tried creating a new PAT and adding to the affected repo with no change in behavior.

I am guessing there must be something different about this repo that prevents access, but I’m not sure what it could be. I can’t find any difference in the settings.

Has anyone encountered this or have ideas on what to check? Thanks!

I notice you don’t set the token in actions/checkout, and don’t opt-out of configuring the Authorization header with it either. The result is that your PAT is effectively ignored, the push works if the default GITHUB_TOKEN is allowed to push.

I assume either that’s the difference between your repositories, or the one with the issue has a branch branch protection rule that gets in the way.

1 Like

This post was flagged by the community and is temporarily hidden.

Thank you for pointing that out, this was exactly it! I added:

with:
  token: ${{ secrets.GH_TOKEN }}

to actions/checkout@v3 and it solved the issue. Still not sure why I didn’t need that on other repos, but I will update them all to do this now that I know it was not using the PAT.

I can’t be sure, obviously, but the first thing that comes to mind: In the repository settings you can configure whether the GITHUB_TOKEN should have read-write or read-only access. Maybe that’s different between the repositories?

In the repository settings you can configure whether the GITHUB_TOKEN should have read-write or read-only access. Maybe that’s different between the repositories?

Ah, yes, that was the underlying reason. I have no idea how this setting got set differently on the repos as I haven’t touched it. But good to know, thanks so much for your help!

1 Like

Why does there have to be so many links

Check your workflow permission in Settings > Actions > General .
To push a commit, workflow needs to have write permission.