GitHub fine-grained PAT scopes for repod

repod accepts only fine-grained personal access tokens (FGPATs) for new org connections and token rotation. Do not use Tokens (classic) -- those use legacy scopes like repo / admin:org and do not match repod's permission checks or least-privilege recommendations.

Related guide: GitHub org permissions governance guide.

Create the token (GitHub UI checklist)

  1. Go to Settings -> Developer settings -> Personal access tokens -> Fine-grained tokens.
  2. Set Resource owner to the organization you want repod to sync (not your personal account).
  3. Set an Expiration (shorter is better; rotate regularly).
  4. Set Repository access:
    • All repositories (recommended for accurate org-wide mapping), or
    • Only select repositories (repod will show coverage gaps for repos not included).

If your org requires approval for fine-grained PATs, an org owner may need to approve the token request before it works.

Permission boundary summary

Select permissions

Core sync and reporting (repod read mode)

Use these permissions for connecting an org, syncing repositories/teams, showing org maps, and producing governance reports.

AreaPermissionLevelWhy repod needs it
OrganizationAdministrationReadRead org-level settings such as base repository permission.
OrganizationMembersReadRead teams, team membership, and team-repo access.
RepositoryMetadataReadList repositories and retain stable GitHub repository IDs.

Apply repo-to-team permission changes (repod write mode)

Use this only if you want repod to apply changes like:

Required permissions

AreaPermissionLevel
OrganizationMembersRead
OrganizationOrganization private repositoriesRead
RepositoryMetadataRead
RepositoryAdministrationRead and write

GitHub's Add or update team repository permissions (and removal) requires Administration (write) + Members (read) + Metadata (read).

Repo Metadata Planner

Use these permissions when exporting, previewing, or applying repository names and GitHub custom property values.

Required permissions

WorkflowAreaPermissionLevel
Export / previewOrganizationCustom propertiesRead
Export / previewRepositoryMetadataRead
Install / update property packOrganizationCustom propertiesRead and write
Apply custom property valuesRepositoryCustom propertiesRead and write
Apply repository renamesRepositoryAdministrationRead and write

repod validates Organization -> Custom properties: Read before export/preview, Organization -> Custom properties: Write before installing the governance property pack, and Repository -> Custom properties: Write before applying non-empty metadata changes.

Optional add-on: Team management (CRUD) in the organization

Enable this only if you want repod (or your automation) to manage teams themselves, e.g.:

Add this permission on top

Organization permissions

Why

Notes: This is a meaningful increase in power. Use a dedicated machine user and rotate aggressively.

Important boundary: Members write is also the GitHub permission used for organization invitations and membership changes. repod's Team management feature is intended for teams and team membership, but customers should not grant this mode if their security requirement is "repod's GitHub credential cannot invite organization users."

Troubleshooting (permission-to-symptom mapping)

Tip: GitHub REST responses may include X-Accepted-GitHub-Permissions, which tells you exactly what permission(s) the endpoint expects.

Mapping from classic PAT scopes (for clarity only)

Once PAT scopes are working, continue with our GitHub org permissions governance guide to shape the wider operating model.