What permission does a Github Action need to call graphql enablePullRequestAutoMerge?

I’m setting permissions on my workflows, and this is an OK experience for REST API as the permissions required are mostly documented there. However the GraphQL API documentation doesn’t describe the permissions required for the calls.

I am trying to set permissions for a workflow that enables automerge, which is via the GraphQL API: https://docs.github.com/en/graphql/reference/mutations#enablepullrequestautomerge though there are many similar, and the few that document the requirements on the token ask for full ‘repo’ access.

I’m not convinced that the token needs ‘repo’ ; perhaps it’s just pull_request: write? But I can’t tell without experimenting with the workflow config and retriggering them, and I’m not keen to do that – does anyone know the answer, and/or know where the GraphQL permissions are documented?

Further to that; is there a mapping of the permissions documented here: Authentication in a workflow - GitHub Docs to the token scopes you choose when Creating a Personal Access Token?

(I’d link to the last document, but this tool won’t let me post more than two URLs.)

I filed a bug in response to a similar item:

1 Like

With some trial-and-error in a test repository, I found the minimum permissions to execute the enablePullRequestAutoMerge mutation are:

  contents: write

Confirmed that contents: write is the necessary permission. Thanks!