403 error: Resource not accessible by integration when forking a private repo we have access to, using the API

[garrickf]

Select Topic Area

Question

Body

The docs on Creating a fork with the REST API seem to indicate that the API works with GitHub app user access tokens. However, when I call this API on a private repo, I get 403: Resource not accessible by integration

The App is both:

• Installed on the organization that owns the private repo and
• Installed on the account doing the forking (and whose user access token I am using)

This appears to agree with the note on the API:

Although this endpoint works with GitHub Apps, the GitHub App must be installed on the destination account with access to all repositories and on the source account with access to the source repository.

I can create a fork successfully for a public repo that's owned by the organization, so I don't see why you can't do the same for a private repo if the App + user together have sufficient permissions. I feel like I must be doing something wrong.

This question seems similar to this one in 2022, and the resolution there was that there was a limitation in forking a private repo. But a fair amount of time has passed since then, and this is using a user access token, which is different from an app installation—I believe the use case there was forking from one org to another org with an app installation token, not a user access token.

[Subhadip956425]

1. The error means your token or GitHub App doesn’t have enough permissions to fork the private repository.

2. Public repo forks work because they don’t need special access. Private repos do.

3. To fix it:

Ensure the GitHub App is installed on both the source and destination accounts.
Grant the App repo access to the private repository.
Give the App or token write/admin permissions, not just read.
If using a token, ensure it includes the repo scope.
Check that the organization allows private forks via its settings.

4. If using GitHub Actions, enable write permissions in workflow settings.

5. Using a Personal Access Token (PAT) with repo scope can help confirm if the issue is permission-related.

[Aqib121201]

Yeah, that 403 usually means the app doesn’t have permission to create the fork. Go to the app settings on the destination account, switch it to All repositories and reinstall it. Then try the same API call again you should get a 202 if it worked.If it still fails, test with a personal access token that has the repo scope to double check it’s just a permissions thing.If that fixes it, mark this as helpful so others don’t waste time on the same issue.