Caretaker received 403 Forbidden (Resource not accessible by integration) on one or more GitHub endpoints during the most recent run in ianlintner/python_dsa. Each 403 means the workflow GITHUB_TOKEN is missing a permission scope caretaker expected.
Until the token is widened, the affected agents are silently skipping their work — for example, dependabot/code-scanning/secret-scanning triage is off, and docs changelog PRs aren't being opened.
Scopes needed
checks: write
POST /repos/ianlintner/python_dsa/check-runs (observed 2x this run)
security_events: read
GET /repos/ianlintner/python_dsa/code-scanning/alerts (observed 1x this run)GET /repos/ianlintner/python_dsa/dependabot/alerts (observed 1x this run)GET /repos/ianlintner/python_dsa/secret-scanning/alerts (observed 1x this run)
Fix
Paste this block into the top of .github/workflows/maintainer.yml (or merge it into any existing permissions: block):
permissions:
contents: read
checks: write
security_events: read
For org-level restrictions, you may additionally need to approve the caretaker GitHub App installation for the scopes above. Once the token has them, delete this issue — caretaker will re-open it next run if any scope is still missing.
This issue is maintained by caretaker; the body is rewritten in place every run while the gap persists. See caretaker:scope-gap label.
Caretaker received
403 Forbidden(Resource not accessible by integration) on one or more GitHub endpoints during the most recent run inianlintner/python_dsa. Each 403 means the workflowGITHUB_TOKENis missing a permission scope caretaker expected.Until the token is widened, the affected agents are silently skipping their work — for example, dependabot/code-scanning/secret-scanning triage is off, and docs changelog PRs aren't being opened.
Scopes needed
checks: writePOST /repos/ianlintner/python_dsa/check-runs(observed 2x this run)security_events: readGET /repos/ianlintner/python_dsa/code-scanning/alerts(observed 1x this run)GET /repos/ianlintner/python_dsa/dependabot/alerts(observed 1x this run)GET /repos/ianlintner/python_dsa/secret-scanning/alerts(observed 1x this run)Fix
Paste this block into the top of
.github/workflows/maintainer.yml(or merge it into any existingpermissions:block):For org-level restrictions, you may additionally need to approve the caretaker GitHub App installation for the scopes above. Once the token has them, delete this issue — caretaker will re-open it next run if any scope is still missing.
This issue is maintained by caretaker; the body is rewritten in place every run while the gap persists. See
caretaker:scope-gaplabel.