CODEWITHSUNDEEP
github-actionsgithub-api
forestbat
forestbat

Reputation: 1005

Permission denied to github-actions[bot]

I'm using mkdocs to generate documents for my project,now I can't deploy those docs to Github pages,it tell me:

remote: Permission to XXX.git denied to github-actions[bot]. fatal: unable to access 'XXX': The requested URL returned error: 403

This is my CI config.

And my secrets of the repository:(The two GIT_ACTIONS_PUSH are all my personal access tokens.)

And if I start the CI process manually, CI will crash like this.

How can I solve it?

Upvotes: 93

Views: 32115

Answers (4)

Ewan
Ewan

Reputation: 686

If you're creating new files then you need to give explicit write permissions in the GitHub Actions worflow file:

jobs:
  job-name:
    permissions:
      contents: write

Upvotes: 52

yu xiangxiang
yu xiangxiang

Reputation: 1330

⚠️ Warning

This answer recommends changing the default permissions for all action workflows to permissive instead of restrictive. From a security standpoint it is highly discouraged to do so. Instead, check the other answers on this Question for more secure alternatives.

Check if "Read and write permissions" are enabled in Settings -> Actions -> General -> Workflow permissions:

Workflow permissions Setting

Upvotes: 119

jessehouwing
jessehouwing

Reputation: 114822

Your workflow already has a permissions block, with which you've limited the permissions to contents: read. In order to publish to the Pages associated with your repo you'll need to add pages: write to that list.

⚠️ Warning

Many of the other answers recommend changing the default permissions for all action workflows to permissive instead of restrictive. From a security standpoint we highly discourage people to do so.

Instead of adding the equivalent of permissions: write-all, it's much better to rely on the default restricted read permissions and only add the exact write permissions you need.

DO NOT SET THIS TO "Read & write". DO NOT GIVE ACTIONS PERMISSIONS TO CREATE AND APPROVE pull requests: enter image description here

In your case the following change to your workflow file should suffice:

permissions:
  contents: read
  pages: write          # <-- Add this line

Upvotes: 7

Arkadip Bhattacharya
Arkadip Bhattacharya

Reputation: 642

I think the persist-credentials: false and fetch-depth is the issue. It is deleting the credentials of the git while checking out the repository.

You can try removing the line and try.

    - uses: actions/checkout@v3

Upvotes: -2

Related Questions