You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
pull_request_read with method: get_check_runs returns 403 Resource not accessible by personal access token [] for a private repo that the same classic PAT can read via the plain REST API (gh pr checks / GET /repos/{owner}/{repo}/commits/{ref}/check-runs). Every other pull_request_read method (get, get_files, get_reviews, get_review_comments, etc.) works with that token on the same PR — only get_check_runs fails.
This means the method shipped via #1942 is effectively unusable against repos where the user's PAT is fine but the underlying MCP app installation is missing Checks: Read. The caller cannot fix it by adding PAT scopes, since the failing call isn't authenticated with the caller's PAT permission surface.
Affected version
Hosted remote MCP at https://api.githubcopilot.com/mcp/. github-mcp-server --version not available for the hosted deployment.
Steps to reproduce the behavior
Authenticate the hosted Copilot MCP with a classic PAT that has repo, read:org, and SSO authorization for the org hosting a private repo.k
gh api /repos/<org>/<private-repo>/commits/<head-sha>/check-runs
returns 200 with the full check-runs payload.
Expected vs actual behavior
Expected: MCP get_check_runs returns the same payload as the REST API.
Actual:
failed to get check runs: GET https://api.github.com/repos/<org>/<private-repo>/commits/<sha>/check-runs?page=1&per_page=30: 403 Resource not accessible by personal access token []
All other pull_request_read methods succeed against the same PR with the same token.
Logs
Error string as surfaced to the MCP client:
failed to get check runs: GET https://api.github.com/repos/<org>/<private-repo>/commits/<sha>/check-runs?page=1&per_page=30: 403 Resource not accessible by personal access token []
Notes
Feature was added in Add check_runs support #1942 (closed). This report is a regression / follow-up: the method is reachable but consistently 403s under hosted-MCP auth where the caller's PAT has repo.
Likely fix direction: ensure the hosted MCP's GitHub App installation requests Checks: Read, or document the fine-grained permission requirement alongside the tool description.
Remark: This issue was analyzed and the report was created with Claude Code.
Describe the bug
pull_request_readwithmethod: get_check_runsreturns403 Resource not accessible by personal access token []for a private repo that the same classic PAT can read via the plain REST API (gh pr checks/GET /repos/{owner}/{repo}/commits/{ref}/check-runs). Every otherpull_request_readmethod (get,get_files,get_reviews,get_review_comments, etc.) works with that token on the same PR — onlyget_check_runsfails.This means the method shipped via #1942 is effectively unusable against repos where the user's PAT is fine but the underlying MCP app installation is missing
Checks: Read. The caller cannot fix it by adding PAT scopes, since the failing call isn't authenticated with the caller's PAT permission surface.Affected version
Hosted remote MCP at
https://api.githubcopilot.com/mcp/.github-mcp-server --versionnot available for the hosted deployment.Steps to reproduce the behavior
repo,read:org, and SSO authorization for the org hosting a private repo.kmcp__github__pull_request_readwith:Expected vs actual behavior
Expected: MCP
get_check_runsreturns the same payload as the REST API.Actual:
All other
pull_request_readmethods succeed against the same PR with the same token.Logs
Error string as surfaced to the MCP client:
Notes
repo.Checks: Read, or document the fine-grained permission requirement alongside the tool description.Remark: This issue was analyzed and the report was created with Claude Code.