GitHub Actions token permissions preflight

Check GITHUB_TOKEN scopes before a workflow hits permission errors.

Pick the operation, paste a sanitized permissions block, and get the missing scope names plus fork and reusable-workflow boundary warnings.

Workflow context

No GitHub token

Workflow event contextIntended operationpermissions block

Do not paste GitHub tokens, repository secrets, workflow logs, or private repository data. This page checks permission scope names only.

Permission result

fail

The pasted permissions block is missing at least one likely scope for this GitHub Actions operation.

OperationComment on a pull request

Eventpull_request from the same repository

Required2

Detected1

Missing1

Warnings1

fail

Missing likely permissions

pull-requests: write for create or update PR comments

warn

Boundary to review

Add only the minimum missing scopes required for this job instead of using write-all.

Scope comparison

Required

pull-requests: writecontents: read

Detected

contents: read

Safe report

GitHub Actions token permissions preflight
Status: fail
Operation: Comment on a pull request
Event context: pull_request from the same repository
Summary: The pasted permissions block is missing at least one likely scope for this GitHub Actions operation.

Required permissions:
- pull-requests: write (create or update PR comments)
- contents: read (read repository contents for the workflow run)

Detected permissions:
- contents: read

Missing permissions:
- pull-requests: write (create or update PR comments)

Warnings:
- Add only the minimum missing scopes required for this job instead of using write-all.

Checklist:
- Set permissions at the workflow or job level where the action actually runs.
- Check repository Actions settings if the workflow still behaves as read-only.
- Treat pull requests from forks as a separate security context.
- Run a real pull request or dry-run workflow because this page does not call the GitHub API.

Scope: static YAML-name check only. This report never includes GitHub tokens, secrets, repository data, or API responses.

What this checks

It compares common GitHub Actions operations with explicit `permissions:` scopes such as contents, pull-requests, checks, statuses, packages, pages, and id-token.

What this does not do

It does not connect to GitHub, inspect repository settings, execute workflows, grant permissions, or prove that a third-party action is safe.