Skip to content

docs: fine-grained GitHub PAT permissions + manual webhook setup#1400

Open
jkwiecien-solvd wants to merge 2 commits into
mongrel-intelligence:devfrom
jkwiecien-solvd:docs/github-token-permissions
Open

docs: fine-grained GitHub PAT permissions + manual webhook setup#1400
jkwiecien-solvd wants to merge 2 commits into
mongrel-intelligence:devfrom
jkwiecien-solvd:docs/github-token-permissions

Conversation

@jkwiecien-solvd

@jkwiecien-solvd jkwiecien-solvd commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

What

Documents the exact GitHub token permissions Cascade needs, and a manual webhook-creation fallback.

The getting-started guide previously said only to create tokens "with `repo` scope". That's misleading for fine-grained PATs, which ignore the `repo` scope and the repository admin role — they require explicit per-permission grants. In practice this means:

  • Webhook creation fails with `403 Resource not accessible by personal access token` when the Webhooks permission is missing (even on a repo where the token's account is admin).
  • Agent actions break at runtime without Contents / Pull requests / Issues / Actions.

Changes (docs/getting-started.md)

  • Step 6 (GitHub bot tokens): replaced the one-liner with a per-token, per-permission table (implementer vs reviewer) covering both classic and fine-grained tokens. Derived from the actual API surface in src/github/client.ts:
    • Reviews are submitted under Pull requests (there is no separate Reviews permission).
    • PR comments go through the Issues API (issues.createComment/updateComment/deleteComment).
    • CI status is read via the Actions API, not Checks.
    • Added an explicit "leave unset" list (Commit statuses, Checks, Deployments, etc.).
  • Step 9 (Set Up Webhooks): added a manual curl webhook-creation block for local/ngrok setups, noting the callback URL must target the router (:3000), not the dashboard (:3001), and that a 403 means the Webhooks permission is missing.

Why

Docs-only. Closes a real setup papercut: the prior guidance led to repeated 403s when registering the GitHub webhook with a fine-grained token.

🤖 Generated with Claude Code

jkwiecien-solvd and others added 2 commits June 12, 2026 11:00
@jkwiecien-solvd @claude
docs: document fine-grained GitHub PAT permissions + manual webhook s…
4d4c70b 
…etup

The getting-started guide only said to create tokens "with `repo` scope",
which is misleading for fine-grained PATs — they ignore `repo` and the repo
admin role, requiring explicit per-permission grants. Missing the Webhooks
permission produces a 403 on webhook creation; missing Contents/Pull
requests/Issues/Actions breaks agent actions at runtime.

- Step 6: per-token, per-permission table (implementer vs reviewer) for both
  classic and fine-grained tokens, derived from the API surface in
  src/github/client.ts (reviews live under Pull requests; PR comments use the
  Issues API; CI status uses the Actions API, not Checks). Includes an
  explicit "leave unset" list.
- Step 9: manual `curl` webhook-creation fallback for local/ngrok setups,
  noting the callback must target the router (:3000) not the dashboard
  (:3001), and that 403 means the Webhooks permission is missing.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@zbigniewsobiecki
Merge branch 'dev' into docs/github-token-permissions
2fa6785
zbigniewsobiecki
zbigniewsobiecki requested changes Jun 12, 2026
View reviewed changes

@zbigniewsobiecki zbigniewsobiecki left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really useful table — and the claims hold up against the actual client surface (issues.createComment for PR comments, reviews under pulls.createReview, CI via the Actions API). Two small factual fixes before merge:

  1. The Webhooks row says "One-time webhook creation (step 7)" — webhook setup is step 9 (your classic-token paragraph already references step 9 correctly).
  2. The manual curl example includes "push" in the events array, but the programmatic path registers exactly GITHUB_WEBHOOK_EVENTS (src/api/routers/webhooks/github.ts:6): pull_request, pull_request_review, pull_request_review_comment, check_suite, issue_comment — no push. Could you drop it so the manual fallback matches what CASCADE actually subscribes to?

With those two, happy to merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zbigniewsobiecki zbigniewsobiecki zbigniewsobiecki requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jkwiecien-solvd @zbigniewsobiecki