Documentation / Security / GitHub App Scopes
GitHub App Scopes
Understanding OAuth scopes vs. GitHub App permissions and how to audit them.
GitHub App Permissions vs. OAuth Scopes
WorkerRun uses a GitHub App, not an OAuth App. GitHub Apps use fine-grained, repository-level permissions rather than broad OAuth scopes. This means WorkerRun only has access to the specific resources it needs, and only for the repositories where it is installed.
Unlike OAuth scopes (which grant access to all repositories a user can access), GitHub App permissions are scoped to individual repositories selected during installation. You choose exactly which repositories WorkerRun can access.
Requested Permissions
| Permission | Level | Reason |
|---|---|---|
| Contents | Read | Read workflow YAML files from the repository |
| Checks | Write | Create and update check runs to report job pass/fail status |
| Pull requests | Read | Access PR metadata including labels, reviewers, and changed files |
How to Audit Permissions
You can review and manage WorkerRun's access at any time through GitHub:
- Go to GitHub Settings → Integrations → Applications
- Find WorkerRun in the list of installed apps
- Click Configure to view:
- Which repositories WorkerRun has access to
- The exact permissions granted
- Recent activity and webhook deliveries
- Adjust repository access or revoke the app entirely from this page
Minimal permissions by design: WorkerRun never requests write access to your code, admin permissions, or access to organization settings. You can verify this at any time in your GitHub App settings.