"Enable you to trigger actions in GitHub"

Hi, I’m developing a GitHub app, and when users authenticate for the app, they see the following:


Which app setting causes the “Actions” access request? Looking at the app permissions, the only user permission that is requested is Email.

Thanks :smile:


:wave: @oadk––welcome to the GitHub Support Community, and thanks for raising this question here! :sunglasses:

In a GitHub App’s Settings, there’s a Permissions & events tab outlining the different permissions the application requests access to. For this particular case:

  • Actions is scoped under Repository permissions
  • Email addresses is scoped under User permissions

Out of curiosity, are you seeing Actions requested despite its level of access being set to No access under Repository permissions? If so, please confirm that with us and we can take the next steps around how and/or why that might be the case. :male_detective:

1 Like

Hi @francisfuzz thanks for your reply :smile:

Out of curiosity, are you seeing Actions requested despite its level of access being set to No access under Repository permissions ?

Yes, that is exactly the problem, and it’s why I was surprised to see “Actions” access request. Here’s a screenshot from the Permissions and Events tab of my app:

Thanks for your help

@oadk - Thanks for clarifying! Our team recently deployed an update to GitHub.com so that message about requesting Actions shouldn’t be shown there unless the permission is set. Could I ask that you please check again and let us know if you’re still seeing that view?

Hi @francisfuzz, the screen looks a bit different now, but instead of Actions, it now says Act on your behalf, which is still unexpected, as the only user permission requested is Email addresses.

Screenshot 2020-06-20 at 16.49.42

@oadk - That’s a great question! I reached out to our engineers about this internally so they can offer their input on what the implications of having that “Act on your behalf” means if the app is granted that authorization. As soon as I get an update, I’ll follow up here. :v:

1 Like

Great, thank you @francisfuzz! :smile:

Hi @francisfuzz did you get an update on this? It seems that people trying to install my app are still seeing “Act on your behalf”, and it’s causing some of them to abort the app installation, as they don’t know what this permission means.

TBH I can understand why they find it concerning.

Do you know which permissions cause “act on your behalf” to be shown?

1 Like

Some relevant information from @lee-dohm in this thread: Why does this forum need permission to act on my behalf?

Because of the way GitHub Apps work for this sign-in-as scenario (or other user-to-server applications), it has the ability to act on your behalf or know which resources you can access, but only within the scope of the permissions we’ve requested, in other words verifying your identity and reading your account’s email address.

We understand that this is poorly and confusingly worded for this kind of scenario. We’ve given this feedback to the team that is responsible for how this dialog is designed. We’ll be working with them to improve it to hopefully make it more clear and understandable as to what exactly is being requested so that you can be more confident in the decision you’re being asked to make.

This change is really needed. As I mentioned above, the current wording is causing users to abort installation of my app. (I was lucky enough to get direct feedback from some of them about this, but I hate to think how many have aborted the install without telling me). The problem must be affecting many apps.

@lee-dohm do you know what the current status of the wording change is?

Currently, there’s nothing to report and, unfortunately, we can’t give an ETA on when this change might happen. Your best bet is to keep an eye on the GitHub Changelog and the GitHub Public Roadmap.


Hi @lee-dohm, thanks for the update. It’s disappointing that there isn’t anything to report. I’ve checked the issues in the roadmap, but unfortunately can’t see an entry for this problem. It must be affecting thousands of apps and tens of thousands of users every day.

I understand that this isn’t something you have control over personally, and I appreciate your efforts with looking into it (indeed, it sounds like you’ve already given the team some constructive feedback about a redesign of the dialog - great stuff!!). If there’s anything you can do to raise the priority of this issue with the other team, that would be very much appreciated :smile:

1 Like

I found this thread because I saw an app request “Act on your behalf” on authentication and went googling to find out what that meant exactly. It is extremely poorly worded. Ironically, when I went to leave this reply in this thread, the github community forum app also requested “Act on your behalf” permission. :confused:


Unfortunately I’ve had more users contact me who are worried by the “Act on your behalf” text.

@lee-dohm I wonder if you could confirm whether the current wording is considered a bug?

If it’s not considered a bug, please could your earlier explanation (Because of the way GitHub Apps work [...]) be added to some official GitHub documentation that we can direct users to?

I’m currently having to direct worried users to this thread (or Why does this forum need permission to act on my behalf? ) so they can see the official GitHub explanation of why the app is seemingly requesting scary permissions.

(Of course, the correct solution would be to reword the dialog, but as there is unfortunately no ETA on that, I’m trying to find a workaround).

1 Like

The current wording is not considered a bug.

I will make the request, but again I won’t be able to give any sort of confirmation or ETA of when such a change would be made.

Hi @lee-dohm thank you for passing on the request. I totally understand that it’s not in your hands, so you can’t give confirmation or ETAs.

(I’m still crossing my fingers that the team will skip this documentation and instead implement your suggestions for rewording the dialog, as that is a far cleaner solution! :crossed_fingers: ).

Thanks again, and good luck :smile: :+1:

1 Like

Any update on this? Terrible experience to have to interpret ‘Act on your behalf’ - it makes absolutely no sense


@lee-dohm why would this not be a bug? It says something different than it does, and it has significant impact on users that try to use it.

Anyways, bug or not, how can we upvote this or bring it more into the light? There is no request for a change in behaviour, just in wording (or an extra link to some more documentation). So this is one of those “very tiny things that that are quite important”. Easy win? :stuck_out_tongue:


If adding another voice to this chorus helps, this is one!

And a few more here: My YC company is a GitHub app [1] and the "act on your behalf" thing is just a r... | Hacker News

I think I understand the reasoning behind the current wording - oauth tokens are more or less meant for “acting on someone’s behalf” - but as the number of comments here and in other threads indicates, it’s still very confusingly and worringly worded. At the very least, the “Resources on your account” could be made more clearly restrictive - e.g.:

  • Verify your GitHub identity (garnix-bot)
  • Know which resources you can access
  • Act on your behalf

In the following ways:

  • Email address (read)

Just found this thread and the other thread on the subject after Googling because I was concerned when Github Classroom needed permission to “Act on my behalf”.

This is quite a mess. The wording is very misleading.

This suggestion to use the phrase “Act on your behalf in the following ways:” and then list the actual permissions is a good suggestion. I think this should be pretty high priority, but it seemingly is not.