Why can't my action create a release using GITHUB_TOKEN even with "contents: write" permission enabled?

[rstarkov]

Select Topic Area

Question

Body

I have a deployment script that uses actions/github-script@v7, which at one point calls github.rest.repos.createRelease({...}). This fails with the message Resource not accessible by integration.

I've confirmed that I have specified contents: write for my GITHUB_TOKEN. I've tried it with permissions: write-all. I've looked through all organisation settings in case something there is restricting actions but they're set to read/write and I couldn't find anything else that's relevant. Other github.rest methods work fine, such as actions.downloadArtifact. The job's permissions setting definitely has an effect; if it's empty then downloadArtifact fails.

Here's what the action logs with permissions: write-all:

GITHUB_TOKEN Permissions
  Actions: write
  Attestations: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

I've even checked that actions/github-script@v7 actually receives GITHUB_TOKEN by default (docs say it does) and tried passing it in manually with github-token: ${{ secrets.GITHUB_TOKEN }} (no change).

The only way it works is if I pass in a PAT via github-token: ${{ ... }}. Why won't it work with GITHUB_TOKEN? Everywhere I look says that all this needs is contents: write.

[rstarkov]

So it turns out that target_commitish is the problem. If it's anything but the head commit then I get Resource not accessible by integration. This happens even if actions/checkout is told to fetch all commits (not that that was going to be an issue, seeing as tagging an older commit works fine with a PAT, just not with a GITHUB_TOKEN).

Indeed I can reproduce the problem by simply calling github.rest.git.createRef - this works ONLY for the head commit. For other hashes it returns Resource not accessible by integration. Unless I switch to PAT, in which case it works for any hash.

Any ideas?

[rstarkov]

Careful testing of PAT fine-grained permissions has cleared this up somewhat.

A PAT limited to contents:write can ONLY tag the head commit. Other hashes fail. A PAT with contents:write + workflows:write can tag anything. Documentation for POST to https://api.github.com/repos/OWNER/REPO/git/refs mentions these two sets of permissions without explaining what the difference is.

Assuming that this distinction is intentional, it's now clear why it fails with GITHUB_TOKEN: those can't have the workflows permission. So at this stage I believe it's impossible for GITHUB_TOKEN to tag anything except the head commit, and that this is probably intentional, but not clearly documented.

[grandmas-favorite]

Hi @rstarkov!

Thanks for coming back to the Community to share your findings!

[npwolf]

Has Github recently changed this required permission? I believe we've been tagging non-head commits for quite a long time and only recently saw this problem pop up. Having to generate a PAT for this is very frustrating.