Request for finer-grained branch permissions


My bot sends people pull requests (e.g. In order to that I of course somehow need to create a branch with the new data. Right now I request read+write permissions for Repository Contents and then push my new branch, which works well. However, that permission scope is a bit broader than what I actually need. In particular, I think my users would be much happier if the permissions were restricted to either:

  • The ability to create new branches (and push to branches created by the integration)
  • Read+Write permissions to a single named branch (or maybe a wildcard - I may need more than one branch in the future - e.g. allow read+write to all branches whose name starts with bot/)
  • Allow the installation to have it’s own “forks” of repositories.

Of course one immediate solution is to create a separate machine user that hosts the forks, but it’s a bit awkward for two reasons:

  1. It doesn’t work on private repositories (which my app doesn’t either right now, but may in the future).
  2. It seems unfortunate to require a separate machine user account when the bot already has an identity.

Or maybe you can think of something else to help with my use case.


Thanks for the feedback, @Keno :bow: – I’ll mention that to the team to consider, but I don’t expect such fine grained permissions to be available in the near future.

If there’s anything else you’d like to see improved – please let us know.