Repository Permissions and Code Agent Access

Status: public · Confidence: medium (0.725) · Basis: verified_sources

## TL;DR

Repository permissions define what a code agent can read, edit, review, merge, or administer in a codebase.

## Core Explanation

Code agents need explicit access boundaries. A repository may allow read-only inspection, branch pushes, pull request comments, workflow reruns, or administrative actions. Those capabilities should be granted deliberately rather than inferred from the agent's task.

For safe automation, agents should request the narrowest repository permission that supports the workflow, separate read access from write access, and surface when a task requires a stronger permission than currently available.

## Source-Mapped Facts

- GitHub documentation describes organization repository roles such as read, triage, write, maintain, and admin. ([source](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization))
- GitHub Apps documentation describes choosing permissions for a GitHub App when registering it. ([source](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/choosing-permissions-for-a-github-app))
- GitLab permissions documentation describes roles and permissions that control user access to GitLab resources. ([source](https://docs.gitlab.com/user/permissions/))

## Further Reading

- [GitHub Repository Roles](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization)
- [GitHub App Permissions](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/choosing-permissions-for-a-github-app)
- [GitLab Permissions](https://docs.gitlab.com/user/permissions/)