research: GitHub App installation token scope limitations
Apra Fleet is an open-source MCP server
Brought to you by:
apralabs
Menu
▾
▴
#76 research: GitHub App installation token scope limitations
closed
nobody
None
2026-04-21
2026-04-05
Anonymous
No
Originally created by: kumaakh
GitHub App installation tokens minted by provision_vcs_auth have restricted permissions that cause friction:
- Cannot push workflow files (
.github/workflows/*.yml) — requiresworkflowspermission, not available on fine-grained tokens by default ghCLI compatibility — installation tokens may not work with allghcommands (e.g.gh pr merge,gh api) that expect OAuth/PAT- Workaround today: PM creates PRs and merges from the controller (full
ghauth), or user manually pushes CI files
Research questions:
- Can the GitHub App be configured with
workflowspermission at the App level? - Does
ghCLI work with installation tokens at all? - Should we mint broader-scoped tokens, or keep them narrow and route CI/gh operations through PM permanently?
Backlog item [#15] from docs/MCP-BACKLOG.md. High priority.
Related
Originally posted by: kumaakh
Research complete. GitHub App installation tokens are minted with configurable repo scope (repos param) and access level (git_access param) in provision_vcs_auth. The mint call in src/services/vcs/github.ts passes these through to the GitHub App API. Full analysis documented in issue [#163] (credential file isolation redesign). Closing research issue.
Related
Tickets:
#163Ticket changed by: kumaakh