Skip to content

What permission does a Github Action need to call graphql enablePullRequestAutoMerge? #24686

What permission does a Github Action need to call graphql enablePullRequestAutoMerge? #24686
Aug 26, 2021 · 3 answers

I’m setting permissions on my workflows, and this is an OK experience for REST API as the permissions required are mostly documented there. However the GraphQL API documentation doesn’t describe the permissions required for the calls.

I am trying to set permissions for a workflow that enables automerge, which is via the GraphQL API: https://docs.github.com/en/graphql/reference/mutations#enablepullrequestautomerge though there are many similar, and the few that document the requirements on the token ask for full ‘repo’ access.

I’m not convinced that the token needs ‘repo’ ; perhaps it’s just pull_request: write? But I can’t tell without experimenting with the workflow config and retriggering them, and I’m not keen to do that – does anyone know the answer, and/or know where the GraphQL permissions are documented?

Further to that; is there a mapping of the permissions documented here: Authentication in a workflow - GitHub Docs to the token scopes you choose when Creating a Personal Access Token?

(I’d link to the last document, but this tool won’t let me post more than two URLs.)

With some trial-and-error in a test repository, I found the minimum permissions to execute the enablePullRequestAutoMerge mutation are:

permissions:
  contents: write

Replies

3 suggested answers

I filed a bug in response to a similar item:

  <a href="https://github.com/github/docs/issues/8925" target="_blank" rel="noopener">github.com/github/docs</a>

GraphQL API content does not appear to explain required permissions

<div class="github-info">
  <div class="date">
    opened <span class="discourse-local-date" data-format="ll" data-date="2021-08-10" data-time="03:33:30" data-timezone="UTC">03:33AM - 10 Aug 21 UTC</span>
  </div>


  <div class="user">
    <a href="https://github.com/jsoref" target="_blank" rel="noopener">
      <img alt="jsoref" src="https://user-images.githubusercontent.com/2119212/181086049-2fce8cd4-5726-470f-b743-39783450b556.png" class="onebox-avatar-inline" width="20" height="20">
      jsoref
    </a>
  </div>
</div>

<div class="labels">
    <span style="display:inline-block;margin-top:2px;background-color: #B8B8B8;padding: 2px;border-radius: 4px;color: #fff;margin-left: 3px;">
      content
    </span>
</div>

### Code of Conduct

  • I have read and agree to the GitHub Docs project's Code of Conduct.

What article on docs.github.com is affected?

https://docs.github.com/en/graphql/guides/forming-calls-with-graphql#authenticating-with-graphql

What part(s) of the article would you like to see updated?

#authenticating-with-graphql

The section that talks about authentication really doesn't help understand what permissions one needs to do things

A forum post asked about converting a PR to/from draft.

Additional information

The v3 API has a long page that makes it possible to try to figure out what permissions one might need:
https://docs.github.com/en/rest/reference/permissions-required-for-github-apps#permission-on-pull-requests

But, I really can't find any equivalent for the v4 api.

For reference, here's the mutation in question:
https://docs.github.com/en/graphql/reference/mutations#convertpullrequesttodraft

0 replies

With some trial-and-error in a test repository, I found the minimum permissions to execute the enablePullRequestAutoMerge mutation are:

permissions:
  contents: write
0 replies
Answer selected

Confirmed that contents: write is the necessary permission. Thanks!

0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants