App Permissions: write Pull Requests but not Code?

[lancedolan]

🏷️ Discussion Type

Question

💬 Feature/Topic Area

Apps

Body

Is there a way to control App permissions with more fine-grained granularity?
Is it possible to give my Github App permissions to READ/WRITE Pull Requests, but only READ to Code (not write)?

My Example:
Screenshot below shows READ/WRITE permissions on my Cursor app, which includes READ/WRITE to "code" and also "pull requests." I believe this means the app can technically edit code directly to my repo. I want its only path to contribute to be constrained to pull requests, and not to edit any repo code directly.

[yegost]

GitHub doesn’t currently support that level of fine-grained separation between “code” and “pull requests” permissions in the way you’re hoping.

“Pull requests (write)” requires “Contents (write)” under the hood.
So if an app can create/update PRs, it can technically push code.

Best workaround:
Enable branch protection rules (no direct pushes to main, require PR reviews)
Limit the app to only selected repos (like you did)

That way, the app can write code, but can’t bypass your PR review process.

[anshk1234]

Unfortunately, GitHub doesn't support that level of fine-grained separation natively — but here's a fuller picture of why, and what you can actually do about it:

Why the limitation exists:
Creating or updating a Pull Request requires the app to reference commits and branches, which are part of the Contents (code) permission scope. GitHub's permission model bundles these together, so Pull Requests: Write implicitly depends on Contents: Read at minimum. However, you're right to be concerned — Contents: Write means the app can push commits directly to branches, not just open PRs.

Best ways to constrain the app in practice:

1. Enable Branch Protection Rules on your important branches
   Go to Settings → Branches → Add rule for main (or any protected branch) and enable:

   • ✅ Require a pull request before merging
   • ✅ Require approvals (at least 1 human reviewer)
   • ✅ Restrict who can push to matching branches (exclude the app)

   This means even if the app has Contents: Write, it physically cannot push directly to main — it can only contribute via PRs.

2. Use Ruleset (newer & more powerful than branch protection)
   Go to Settings → Rules → Rulesets and create a ruleset that:

   • Targets all branches or specific ones
   • Blocks direct pushes from the app's actor specifically
   • Still allows PR creation

   Rulesets let you target specific apps/bots by actor, which gives you more precise control than classic branch protection.

3. Limit the app to only selected repositories
   Which it sounds like you've already done ✅ — keep it that way.

4. Audit the app's activity via the audit log
   Under Settings → Audit log, you can filter by the app name and monitor exactly what actions it's taking on your repo.

Bottom line: You can't remove the technical capability of the app to write code, but with branch protection + rulesets, you can make it impossible for it to bypass your PR review process. That's the practical equivalent of what you're looking for. Hope that helps! 🙌

[Rajesh-sahu762]

"Write Pull Requests but not Code" ka matlab hai ki app pull requests create aur manage kar sakta hai, lekin direct repository ke code ko modify ya push nahi kar sakta.

[lancedolan]

Makes sense, ty 🙏