GitHub App Permissions¶
The app requires a specific set of permissions to function. These are configured when registering the GitHub App.
Repository permissions¶
| Permission | Access | Reason |
|---|---|---|
| Issues | Read & write | Post and update the managed bot comment |
| Contents | Read-only | Read checklist templates from .github/CHECKLIST/ |
| Metadata | Read-only | Required by GitHub for any repository access |
Organization permissions¶
| Permission | Access | Reason |
|---|---|---|
| Members | Read-only | Verify exception-approvers team membership during approval |
Webhook events¶
| Event | Reason |
|---|---|
Issues |
Detect issue open, type change, and transfer |
Issue comment |
Filter for non-bot comments (currently a no-op; reserved for future use) |
Installation scope¶
The app must be installed at the organization level (not per-repo). This is required because:
- Template resolution reads from
.github-privateand.githubrepos in addition to the issue repo - The
issues.transferredevent is only delivered to apps installed on the destination org
When installing, select All repositories so the app can access any repo in the org where issues might be transferred to or from.
OAuth scopes (for the UI)¶
The checklist editor uses GitHub OAuth to identify the acting user. The OAuth app requests:
| Scope | Reason |
|---|---|
read:user |
Get the authenticated user's login |
read:org |
Check exception-approvers team membership |