Reconcile FGP annotations to docs-authoritative permissions

SamMorrowDrums · Copilot · SamMorrowDrums · commit 5e4e61464d86 · 2026-06-12T19:56:46.000+02:00
Verify per-tool fine-grained permissions against the GitHub REST docs'
embedded permission sets (progAccess.permissions):

- merge_pull_request: contents:write only (was contents:write AND
  pull_requests:write)
- update_pull_request_branch: pull_requests:write only (was contents:write
  AND pull_requests:write)
- list_repository_collaborators: metadata:read (was administration:read)
- create_repository: re-add administration:write
- fork_repository: re-add administration:write AND contents:read

Regenerate docs/permissions-filtering.md (55 rows; idempotent).

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/docs/permissions-filtering.md b/docs/permissions-filtering.md
@@ -80,14 +80,16 @@ The generated table below is produced by `script/generate-docs` and lists every
 | `pull_requests` | `add_reply_to_pull_request_comment` | `pull_requests:write` |
 | `pull_requests` | `create_pull_request` | `pull_requests:write` |
 | `pull_requests` | `list_pull_requests` | `pull_requests:read` |
-| `pull_requests` | `merge_pull_request` | `contents:write AND pull_requests:write` |
+| `pull_requests` | `merge_pull_request` | `contents:write` |
 | `pull_requests` | `pull_request_read` | `pull_requests:read` |
 | `pull_requests` | `pull_request_review_write` | `pull_requests:write` |
-| `pull_requests` | `update_pull_request_branch` | `contents:write AND pull_requests:write` |
+| `pull_requests` | `update_pull_request_branch` | `pull_requests:write` |
 | `pull_requests` | `update_pull_request` | `pull_requests:write` |
 | `repos` | `create_branch` | `contents:write` |
 | `repos` | `create_or_update_file` | `contents:write` |
+| `repos` | `create_repository` | `administration:write` |
 | `repos` | `delete_file` | `contents:write` |
+| `repos` | `fork_repository` | `administration:write AND contents:read` |
 | `repos` | `get_commit` | `contents:read` |
 | `repos` | `get_file_contents` | `contents:read` |
 | `repos` | `get_latest_release` | `contents:read` |
@@ -96,7 +98,7 @@ The generated table below is produced by `script/generate-docs` and lists every
 | `repos` | `list_branches` | `contents:read` |
 | `repos` | `list_commits` | `contents:read` |
 | `repos` | `list_releases` | `contents:read` |
-| `repos` | `list_repository_collaborators` | `administration:read` |
+| `repos` | `list_repository_collaborators` | `metadata:read` |
 | `repos` | `list_tags` | `contents:read` |
 | `repos` | `push_files` | `contents:write` |
 | `secret_protection` | `get_secret_scanning_alert` | `secret_scanning_alerts:read` |
diff --git a/pkg/github/pullrequests.go b/pkg/github/pullrequests.go
@@ -1434,7 +1434,7 @@ func MergePullRequest(t translations.TranslationHelperFunc) inventory.ServerTool
 			}
 
 			return utils.NewToolResultText(string(r)), nil, nil
-		}).WithPermissions(permissions.Require(permissions.PullRequests.Write(), permissions.Contents.Write()))
+		}).WithPermissions(permissions.Require(permissions.Contents.Write()))
 }
 
 // SearchPullRequests creates a tool to search for pull requests.
@@ -1591,7 +1591,7 @@ func UpdatePullRequestBranch(t translations.TranslationHelperFunc) inventory.Ser
 			}
 
 			return utils.NewToolResultText(string(r)), nil, nil
-		}).WithPermissions(permissions.Require(permissions.PullRequests.Write(), permissions.Contents.Write()))
+		}).WithPermissions(permissions.Require(permissions.PullRequests.Write()))
 }
 
 type PullRequestReviewWriteParams struct {
diff --git a/pkg/github/repositories.go b/pkg/github/repositories.go
@@ -676,7 +676,7 @@ func CreateRepository(t translations.TranslationHelperFunc) inventory.ServerTool
 
 			return utils.NewToolResultText(string(r)), nil, nil
 		},
-	)
+	).WithPermissions(permissions.Require(permissions.Administration.Write()))
 }
 
 // FetchRepoIsPrivate returns whether a repository is private. It is a thin
@@ -986,7 +986,7 @@ func ForkRepository(t translations.TranslationHelperFunc) inventory.ServerTool {
 
 			return utils.NewToolResultText(string(r)), nil, nil
 		},
-	)
+	).WithPermissions(permissions.Require(permissions.Administration.Write(), permissions.Contents.Read()))
 }
 
 // DeleteFile creates a tool to delete a file in a GitHub repository.
@@ -2795,5 +2795,5 @@ func ListRepositoryCollaborators(t translations.TranslationHelperFunc) inventory
 			callResult = attachStaticIFCLabel(ctx, deps, callResult, ifc.LabelCollaboratorRoster())
 			return callResult, nil, nil
 		},
-	).WithPermissions(permissions.Require(permissions.Administration.Read()))
+	).WithPermissions(permissions.Require(permissions.Metadata.Read()))
 }

Original file line number	Diff line number	Diff line change
`@@ -1434,7 +1434,7 @@ func MergePullRequest(t translations.TranslationHelperFunc) inventory.ServerTool`
`1434`	`1434`	`}`
`1435`	`1435`
`1436`	`1436`	`return utils.NewToolResultText(string(r)), nil, nil`
`1437`		`- }).WithPermissions(permissions.Require(permissions.PullRequests.Write(), permissions.Contents.Write()))`
	`1437`	`+ }).WithPermissions(permissions.Require(permissions.Contents.Write()))`
`1438`	`1438`	`}`
`1439`	`1439`
`1440`	`1440`	`// SearchPullRequests creates a tool to search for pull requests.`
`@@ -1591,7 +1591,7 @@ func UpdatePullRequestBranch(t translations.TranslationHelperFunc) inventory.Ser`
`1591`	`1591`	`}`
`1592`	`1592`
`1593`	`1593`	`return utils.NewToolResultText(string(r)), nil, nil`
`1594`		`- }).WithPermissions(permissions.Require(permissions.PullRequests.Write(), permissions.Contents.Write()))`
	`1594`	`+ }).WithPermissions(permissions.Require(permissions.PullRequests.Write()))`
`1595`	`1595`	`}`
`1596`	`1596`
`1597`	`1597`	`type PullRequestReviewWriteParams struct {`
Original file line number	Diff line number	Diff line change
`@@ -676,7 +676,7 @@ func CreateRepository(t translations.TranslationHelperFunc) inventory.ServerTool`
`676`	`676`
`677`	`677`	`return utils.NewToolResultText(string(r)), nil, nil`
`678`	`678`	`},`
`679`		`- )`
	`679`	`+ ).WithPermissions(permissions.Require(permissions.Administration.Write()))`
`680`	`680`	`}`
`681`	`681`
`682`	`682`	`// FetchRepoIsPrivate returns whether a repository is private. It is a thin`
`@@ -986,7 +986,7 @@ func ForkRepository(t translations.TranslationHelperFunc) inventory.ServerTool {`
`986`	`986`
`987`	`987`	`return utils.NewToolResultText(string(r)), nil, nil`
`988`	`988`	`},`
`989`		`- )`
	`989`	`+ ).WithPermissions(permissions.Require(permissions.Administration.Write(), permissions.Contents.Read()))`
`990`	`990`	`}`
`991`	`991`
`992`	`992`	`// DeleteFile creates a tool to delete a file in a GitHub repository.`
`@@ -2795,5 +2795,5 @@ func ListRepositoryCollaborators(t translations.TranslationHelperFunc) inventory`
`2795`	`2795`	`callResult = attachStaticIFCLabel(ctx, deps, callResult, ifc.LabelCollaboratorRoster())`
`2796`	`2796`	`return callResult, nil, nil`
`2797`	`2797`	`},`
`2798`		`- ).WithPermissions(permissions.Require(permissions.Administration.Read()))`
	`2798`	`+ ).WithPermissions(permissions.Require(permissions.Metadata.Read()))`
`2799`	`2799`	`}`