Skip to content

Hosted MCP get_check_runs fails with 403 where the equivalent REST call succeeds #2381

@mlegner

Description

@mlegner

Describe the bug

pull_request_read with method: get_check_runs returns 403 Resource not accessible by personal access token [] for a private repo that the same classic PAT can read via the plain REST API (gh pr checks / GET /repos/{owner}/{repo}/commits/{ref}/check-runs). Every other pull_request_read method (get, get_files, get_reviews, get_review_comments, etc.) works with that token on the same PR — only get_check_runs fails.

This means the method shipped via #1942 is effectively unusable against repos where the user's PAT is fine but the underlying MCP app installation is missing Checks: Read. The caller cannot fix it by adding PAT scopes, since the failing call isn't authenticated with the caller's PAT permission surface.

Affected version

Hosted remote MCP at https://api.githubcopilot.com/mcp/. github-mcp-server --version not available for the hosted deployment.

Steps to reproduce the behavior

  1. Authenticate the hosted Copilot MCP with a classic PAT that has repo, read:org, and SSO authorization for the org hosting a private repo.k
  2. Invoke mcp__github__pull_request_read with:
    method: get_check_runs
    owner: <org>
    repo:  <private-repo>
    pullNumber: <N>
    
  3. From a local shell using the same PAT:
    gh api /repos/<org>/<private-repo>/commits/<head-sha>/check-runs
    
    returns 200 with the full check-runs payload.

Expected vs actual behavior

Expected: MCP get_check_runs returns the same payload as the REST API.

Actual:

failed to get check runs: GET https://api.github.com/repos/<org>/<private-repo>/commits/<sha>/check-runs?page=1&per_page=30: 403 Resource not accessible by personal access token []

All other pull_request_read methods succeed against the same PR with the same token.

Logs

Error string as surfaced to the MCP client:

failed to get check runs: GET https://api.github.com/repos/<org>/<private-repo>/commits/<sha>/check-runs?page=1&per_page=30: 403 Resource not accessible by personal access token []

Notes

  • Feature was added in Add check_runs support #1942 (closed). This report is a regression / follow-up: the method is reachable but consistently 403s under hosted-MCP auth where the caller's PAT has repo.
  • Likely fix direction: ensure the hosted MCP's GitHub App installation requests Checks: Read, or document the fine-grained permission requirement alongside the tool description.

Remark: This issue was analyzed and the report was created with Claude Code.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions