Skip to content

Add GitHub MCP Server token requirements reference with PAT type guidance #9794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 5 commits into from
Closed

Add GitHub MCP Server token requirements reference with PAT type guidance #9794

Copilot wants to merge 5 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 13, 2026
edited
Loading

Created comprehensive reference mapping GitHub MCP Server tools to required token permissions, clarifying which operations work with default GITHUB_TOKEN versus requiring PATs, with detailed guidance on choosing between classic and fine-grained Personal Access Tokens.

New Documentation

Added specs/github-mcp-server-token-requirements.md (545 lines) covering:

  • Personal Access Token Types - Comprehensive section on classic vs fine-grained PATs:
    • Classic PATs: Account-wide scope, required for user-owned Projects V2
    • Fine-grained PATs: Repository-specific, recommended for most scenarios with better security
    • Decision table mapping common scenarios to appropriate token types
    • Security considerations and best practices for each type
  • 18 toolsets analyzed - Each tool marked with ✅ (default token), ⚠️ (explicit permission needed), or ❌ (PAT required)
  • Critical findings:
    • GitHub Projects V2: All 9 tools require PAT (project scope unavailable to GITHUB_TOKEN)
    • User-owned Projects V2: Classic PAT required (fine-grained PATs do not work)
    • Organization Projects V2: Fine-grained PAT recommended
    • Security toolsets: Code scanning, Dependabot, secret scanning all require PAT
    • Organization operations: Team/org access requires PAT with read:org
    • Read operations: Most work with default read-only permissions
    • Write operations: Require explicit permission grants (recommend safe outputs instead)

Structure

## Understanding GitHub Actions Token Permissions
- Default permissions (read-only since 2023)
- Limitations and special cases

## Personal Access Token Types
- Classic PATs: characteristics, when to use, security considerations
- Fine-grained PATs: characteristics, when to use, security advantages
- Decision table for common scenarios
- Best practices and documentation links

## Tool Requirements by Toolset
### Actions (14 tools)
- ✅ download_workflow_run_artifact
- ⚠️ cancel_workflow_run (needs actions: write)
...

### Projects (9 tools)
- ❌ ALL tools require PAT (project scope unavailable)
...

## Quick Reference: Tools Requiring PAT
- Organization/Team (5 tools)
- Projects V2 (ALL 9 tools)
- Security features (8+ tools)
...

## Recommendations
- Read-only workflows: use defaults
- Write operations: use safe outputs
- Advanced features: configure appropriate PAT

Document cross-references existing permissions, tokens, and tools documentation with actionable configuration examples and links to GitHub's official PAT documentation.

Original prompt

Based on the GitHub MCP Server documentation and comparing to our tools: github: toolsets:, create a table to show which tools falls outside the GitHub Acations GITHUB_TOKEN and defaults.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 3 commits January 13, 2026 06:30
@mnkiefer
Initial plan: Create GitHub MCP Server token requirements comparison …
732e036 
…table

Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
@mnkiefer
Add comprehensive GitHub MCP Server token requirements table
9f1c9d2 
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
@mnkiefer
Complete: GitHub MCP Server token requirements comparison table
2525a02 
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
@mnkiefer
Copy link
Contributor

mnkiefer commented Jan 13, 2026

@copilot Also consider what this means for token types (classic, fine-grained, etc.), see:
https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens

Copilot AI changed the title [WIP] Create comparison table for GitHub Actions tools Add GitHub MCP Server token requirements reference Jan 13, 2026
Copilot AI requested a review from mnkiefer January 13, 2026 06:46
@mnkiefer
Add PAT types section: classic vs fine-grained tokens
3d073f0 
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 13, 2026

@copilot Also consider what this means for token types (classic, fine-grained, etc.), see:
https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access...

Added a comprehensive "Personal Access Token Types" section covering classic vs fine-grained PATs with:

  • Characteristics and security considerations for each type
  • When to use classic PATs (required for user-owned Projects V2)
  • When to use fine-grained PATs (recommended for most scenarios)
  • Decision table mapping common scenarios to appropriate token types
  • Links to GitHub documentation and internal tokens reference

See commit 3d073f0 for the changes.

Copilot AI changed the title Add GitHub MCP Server token requirements reference Add GitHub MCP Server token requirements reference with PAT type guidance Jan 13, 2026
@mnkiefer
Copy link
Contributor

mnkiefer commented Jan 13, 2026

  • Closing as refs change too frequently for this to be useful.

@mnkiefer mnkiefer closed this Jan 13, 2026
@github-actions github-actions bot mentioned this pull request Jan 13, 2026
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mnkiefer mnkiefer Awaiting requested review from mnkiefer

Assignees

@mnkiefer mnkiefer

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mnkiefer