Getting a permissions error when merging pull request


#1

I’ve got a Github App that helps people manage their pull requests by letting people vote on them using reactions. I’ve been running the code as a bot for awhile but finally built an application around it.

Unfortunately when I try to merge pull requests I get a 403 error-

403 Resource not accessible by integration

What permissions do I need to add to the application to get this to work? I have read/write permissions set on pull requests and issues, but only read permissions outside of that.


#2

Looking into this further it seems that the ability to merge pull requests requests the “content” permissions.

I really think this should be separate- I do not want to have access to the repositories directly. In the future I may make the app available to private repositories but I do not actually want to have access to the code itself (everything I need in the repository is handled by the single file permissions).


#3

Our reasoning for putting the ‘Merge’ action behind the ‘content write’ permission is that you are creating a . merge commit, which is updating the contents of the repo.


#4

I understand the reason, but I think it would be better to split it out into its own thing- the security argument here is that splitting it out would allow people to merge without ever having to see the content to begin with. As an app developer I don’t want to have access to any code unless it is absolutely necessary, and for my app it isn’t.