Stably GitHub App Permissions
Our GitHub App powers automated exploratory testing on pull requests. It requests the smallest set of repository permissions needed to read code safely, run tests, and report results back to developers.| Permission | Access | Why we need it | Runtime behavior |
|---|---|---|---|
| Checks | Read & write | Let reviewers dismiss a failing run without rerunning tests. | Responds to the Ignore button on our check run by marking it as skipped. |
| Issues | Read & write | Surface testing updates directly on the pull request. | Reads PR threads to locate preview URLs and posts/upserts comments, reactions, and status updates. |
| Pull requests | Read-only | Understand what changed before launching tests. | Reads PR metadata and diffs to decide whether the change is testable and to build context for the agent. |
| Contents | Read-only | Inspect repository structure without modifying source. | Lists branches, reads .github/pull_request_template.md, and issues short-lived read tokens for cloning during a run. |
| Metadata | Read-only (default) | Required by GitHub for any installation. | Supports webhook payloads and repository identification; no content is stored. |
We do not request write access to repository contents, workflows, or organization settings.
Webhook events we subscribe to
pull_request: Triggers autonomous testing when a PR opens, is marked ready for review, or closes.issue_comment: Watches for preview URLs or@stablyaimentions to start or resume a run.check_run.requested_action: Lets maintainers skip a failing run directly from the Checks tab.installationlifecycle events: Keeps our installation records in sync (created, deleted, suspended, unsuspended).
Installation tokens & repository access hygiene
- Every explorative test run requests a fresh installation token scoped to
contents: readonly. - Tokens are discarded immediately after the run finishes.
- No long-lived repo credentials are stored in our systems.
GitHub data we store
- Installation metadata: installation ID, owning account, and the repo/branch configured for testing.
- Test annotations: PR number, run status, preview URLs already processed.
- We never persist raw repository contents or user OAuth tokens.
What we never do
- Push commits, merge pull requests, or edit repository files.
- Access organization members, secrets, or billing data.
- Call GitHub APIs outside the scopes listed above.
Questions or security reviews? Reach us at security@stably.ai. We can also provide SOC 2 and penetration-test summaries under NDA.