Skip to content

feat: migrate from GitHub CLI to fine-grained PAT for API access #85

Description

@ichoosetoaccept

Problem

We currently build our MCP server on top of the GitHub CLI (gh), which is extremely convenient for rapid development — it handles auth, pagination, and GraphQL/REST calls out of the box.

However, gh uses the user's full GitHub OAuth scope, which grants access to:

  • All repositories (public and private)
  • All organizations
  • Account settings, SSH keys, etc.
  • Essentially "everything everywhere all at once"

This is a significant security risk for a tool that only needs to read PR review threads and resolve/reply to comments on specific repos.

Proposed Solution

Migrate to fine-grained Personal Access Tokens (PATs) or similar scoped authentication:

  • Research GitHub fine-grained PATs (repo-scoped, read/write permissions per resource)
  • Determine the minimum permissions needed (likely just pull_requests: read/write on specific repos)
  • Replace gh subprocess calls with direct GitHub API calls using a scoped token
  • Consider using httpx or aiohttp for direct API access
  • Support token configuration via environment variable (e.g. GITHUB_TOKEN)

Benefits

  • Least-privilege access — only the permissions the tool actually needs
  • Repo-scoped — users can limit access to specific repositories
  • Auditable — fine-grained PATs show up in GitHub's security log
  • No CLI dependency — removes the requirement for gh to be installed and authenticated

Notes

  • Not urgent — gh works great for development and dogfooding
  • Research phase needed to determine the best modern approach
  • Should maintain backward compatibility with gh as a fallback during transition

Scope

  • Research fine-grained PAT permissions model
  • Identify minimum required scopes for all current tool operations
  • Implement direct GitHub API client (GraphQL + REST)
  • Add token configuration (env var, config file)
  • Migration guide for existing users
  • Optional: keep gh as fallback auth method

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions