Github app permission scopes not consistent between graphql and rest api

Github app’s metadata read-only scope (Search repositories, list collaborators, and access repository metadata.) provides access to the default branch of a repository , for example at endpoint GET /orgs/{org}/repos (Permissions required for GitHub Apps - GitHub Docs). However the graphql query below throws the error “GraphqlError: Resource not accessible by integration”. Removing the “defaultBranchRef” from the query below works fine. If the content permission scope on the app is set to read only the below query works. We plan to remove the content permssion scope of our app because the metadata read-only scope should offer the necessary permissions to access what we need according to the docs. Why does it not work?

viewer {
                repositories(first:100 ) {      
                    nodes {
                        name
                        defaultBranchRef {
                            name
                        }
                    }
                }
            }
1 Like