101

I'm using mkdocs to generate documents for my project,now I can't deploy those docs to Github pages,it tell me:

remote: Permission to XXX.git denied to github-actions[bot]. fatal: unable to access 'XXX': The requested URL returned error: 403

This is my CI config.

And my secrets of the repository:(The two GIT_ACTIONS_PUSH are all my personal access tokens.)

And if I start the CI process manually, CI will crash like this.

How can I solve it?

Improve this question

6 Answers 6

Reset to default
126

โš ๏ธ Warning

This answer recommends changing the default permissions for all action workflows to permissive instead of restrictive. From a security standpoint it is highly discouraged to do so. Instead, check the other answers on this Question for more secure alternatives.

Check if "Read and write permissions" are enabled in Settings -> Actions -> General -> Workflow permissions:

Workflow permissions Setting

Improve this answer
6
  • If he's using his own personal token, why does this setting which claims to affect the permissions of GITHUB_TOKEN have any effect on his attempt to push? Commented Apr 14, 2023 at 20:17
  • 3
    Workflows are disabled on repo forks by default, you have to manually enable them. Good catch! Commented May 30, 2023 at 9:15
  • 5
    Github does not allow me to give read and write permission Commented Jul 21, 2023 at 12:10
  • Refer to: github.com/ad-m/github-push-action/issues/โ€ฆ Commented Jan 13, 2024 at 4:13
  • @fccoelho you have to enable it on the top lvl first. (Organization, Account) Commented Mar 8, 2024 at 10:46
62

If you're creating new files then you need to give explicit write permissions in the GitHub Actions worflow file:

jobs:
  job-name:
    permissions:
      contents: write
Improve this answer
4
  • 4
    This is a better solution than the highest voted one because it limits the permissions to the minimum. Commented Aug 12, 2023 at 6:59
  • 1
    The accepted answer was already set up for me - and this actually solved the issue, thank you. Commented Mar 24, 2024 at 11:42
  • 1
    This one was easy and worked for me. Thank you! You saved my day. Commented Jun 17, 2024 at 17:00
  • This is not enough alone. Without also changing the workflow permissions to "Read and write permissions" you will get an error: "The nested job 'publish-changelog' is requesting 'contents: write', but is only allowed 'contents: read'." I get this even with a Fine-grained access token with write permissions. Commented Apr 5 at 2:04
9

Your workflow already has a permissions block, with which you've limited the permissions to contents: read. In order to publish to the Pages associated with your repo you'll need to add pages: write to that list.

โš ๏ธ Warning

Many of the other answers recommend changing the default permissions for all action workflows to permissive instead of restrictive. From a security standpoint we highly discourage people to do so.

Instead of adding the equivalent of permissions: write-all, it's much better to rely on the default restricted read permissions and only add the exact write permissions you need.

DO NOT SET THIS TO "Read & write". DO NOT GIVE ACTIONS PERMISSIONS TO CREATE AND APPROVE pull requests: enter image description here

In your case the following change to your workflow file should suffice:

permissions:
  contents: read
  pages: write          # <-- Add this line
Improve this answer
1
  • 2
    pages: write didn't work for me I had to use contents: write. Commented Mar 22, 2024 at 4:09
0

For me, this worked. Reference: https://github.com/orgs/community/discussions/112552

      - name: Checkout repository
        uses: actions/checkout@v2
        with:
          repository: Org/Repo
          token: ${{ secrets.SECRET_PAT }}
Improve this answer
1
  • Thank you for contributing to the Stack Overflow community. This may be a correct answer, but itโ€™d be really useful to provide additional explanation of your configuration so developers can understand your reasoning. This is especially useful for new developers who arenโ€™t as familiar with the syntax or struggling to understand the concepts. Would you kindly edit your answer to include additional details for the benefit of the community? Commented May 17 at 0:24
0

I ran into a similar error, and here's what I found after some testing. Making notes so that others might benefit.

Use contents permissions when using Classic Pages Experience, that is, pushing to gh-pages branch to serve GitHub pages.

permissions:
  contents: write

Use pages permissions when using the GitHub action like https://github.com/actions/deploy-pages action to server GitHub pages.

permissions:
  pages: write
  id-token: write
Improve this answer
-2

I think the persist-credentials: false and fetch-depth is the issue. It is deleting the credentials of the git while checking out the repository.

You can try removing the line and try.

    - uses: actions/checkout@v3
Improve this answer
2
  • No๏ผŒit has no help๏ผŒand the crash is same. Commented Jul 4, 2022 at 4:15
  • I don't think it has connection with fetch-depth. Commented Jul 4, 2022 at 4:36

Your Answer

By clicking โ€œPost Your Answerโ€, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.