GitHub App permissions

Three ways third-party tools authenticate to GitHub: OAuth Apps (act AS a user), GitHub Apps (act AS the app, on behalf of an installation), and Personal Access Tokens (act AS a user with a long-lived token).

GitHub Apps are the preferred modern path. They have granular permissions, short-lived installation tokens (1 hour), per-repo install scope, and audit-friendly per-app activity in the GitHub UI. OAuth Apps inherit the full scope of the user's GitHub account — typically far too broad for a tool that just needs to comment on PRs.

Apps require both a GitHub-side configuration (in the developer settings) and a per-customer installation. The user installs the App on their org/account, optionally scoped to specific repos, and the App then operates within that scope.

Each permission is a tuple of (resource, level). Resources include: actions, administration, checks, code-scanning, contents, deployments, environments, issues, members, metadata, packages, pages, pull-requests, repository-hooks, repository-projects, secret-scanning, secrets, statuses, vulnerability-alerts, workflows.

Levels: none (no access), read (GET-style), write (POST/PATCH/PUT), admin (DELETE + sensitive ops). Not every resource supports every level — some only have read; admin is rare.

The granularity is real. A code-review tool needs (contents: read, pull-requests: write, checks: write, metadata: read) — and nothing else. It can't access secrets, can't push code, can't manage members. The principle of least privilege applies aggressively here.

Permissions control what the App can DO when it acts. Webhook subscriptions control what GitHub TELLS the App when things happen in the installed repos.

Common webhook events: pull_request (PR opened/closed/etc.), push (commit pushed), installation (App installed/uninstalled), installation_repositories (repos added/removed from install), check_run (CI run state changed), issues (issue opened/closed/commented).

Each subscription is opt-in per App. Most code-review tools subscribe to pull_request + push + installation events. Webhooks for things you don't need (members, issues, deployments) just add noise + processing cost — subscribe minimally.

When a GitHub App is installed on an org, GitHub issues an installation ID. The App can then exchange its private key (JWT-signed) for an installation token — a short-lived (1 hour) credential scoped to that installation's permissions on that installation's repos.

The flow per action: (1) App generates a JWT with its private key. (2) POST /app/installations/{installation_id}/access_tokens with JWT. (3) GitHub returns a token. (4) App uses that token for actual operations until expiry. (5) Refresh as needed.

Best practice: cache tokens in worker memory until expiry. Refresh proactively at the 55-minute mark to avoid 401s mid-operation. Never store installation tokens to disk — they're high-value secrets.

Installed App permissions are visible in github.com/settings/installations (for personal accounts) or github.com/organizations/{org}/settings/installations (for orgs).

Each install shows: which repositories the App can access, which permissions are granted, when it was installed, last activity. The org admin can revoke at any time.

Quarterly audit recommendation: walk every installed App, confirm the permissions match the stated function, revoke any not in active use. The github.com UI makes this 10-minute work per org.

GitHub also publishes the App's required permissions on the App's public listing (apps.github.com/lgtm-app, etc.). Read these BEFORE installing — if a 'PR comment bot' requests admin permission on contents, walk away.