fix(github): Preserve installation permissions on write tokens#903
Merged
Conversation
Repository write leases could still be downscoped by appPermissions, recreating incomplete tokens across related push and pull request operations. Make the write issuance variant repository-only so it cannot include an operation-specific permission body. Align routing guidance, skills, docs, and regression coverage with automatic GitHub App credentials. Remove the completed plan for the retired split-grant model. Co-Authored-By: OpenAI GPT-5 <noreply@openai.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GitHub App write leases now inherit the installation's complete permission
envelope while remaining scoped to the target repository. Previously,
appPermissionscould downscopeinstallation-writetokens, so a push couldsucceed while a related pull request operation failed with an incomplete token.
The write credential input is now role-shaped: repository-scoped writes cannot
include a permissions body, while read leases retain explicit downscoping.
Local raw issue and pull request creation denials now identify themselves as
Junior routing failures, and the docs, skills, eval, and regression coverage
reflect automatic credentials. The obsolete split-grant OpenSpec plan is
removed so it cannot reintroduce the retired model.