Refine FGP annotations per review feedback

SamMorrowDrums · Copilot · SamMorrowDrums · commit b84e8af8fbcd · 2026-06-12T19:46:01.000+02:00
- list_repository_collaborators: administration:read -&gt; metadata:read
  (the list endpoint requires Fine-grained Metadata read; administration
  only covers adding/removing collaborators)
- create_repository, fork_repository: revert to ungated (administration
  mapping is genuinely ambiguous between user- and org-owned repos)
- projects_get/list/write: revert to ungated (ProjectsV2 GraphQL does not
  map cleanly to the classic repository_projects/organization_projects
  catalog consts)

get_teams/get_team_members keep members:read; list_issue_fields keeps
issues:read. Docs table regenerated (idempotent).

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/docs/permissions-filtering.md b/docs/permissions-filtering.md
@@ -76,9 +76,6 @@ The generated table below is produced by `script/generate-docs` and lists every
 | `labels` | `get_label` | `issues:read` |
 | `labels` | `label_write` | `issues:write` |
 | `labels` | `list_label` | `issues:read` |
-| `projects` | `projects_get` | `organization_projects:read` |
-| `projects` | `projects_list` | `organization_projects:read` |
-| `projects` | `projects_write` | `organization_projects:write` |
 | `pull_requests` | `add_comment_to_pending_review` | `pull_requests:write` |
 | `pull_requests` | `add_reply_to_pull_request_comment` | `pull_requests:write` |
 | `pull_requests` | `create_pull_request` | `pull_requests:write` |
@@ -90,9 +87,7 @@ The generated table below is produced by `script/generate-docs` and lists every
 | `pull_requests` | `update_pull_request` | `pull_requests:write` |
 | `repos` | `create_branch` | `contents:write` |
 | `repos` | `create_or_update_file` | `contents:write` |
-| `repos` | `create_repository` | `administration:write` |
 | `repos` | `delete_file` | `contents:write` |
-| `repos` | `fork_repository` | `administration:write` |
 | `repos` | `get_commit` | `contents:read` |
 | `repos` | `get_file_contents` | `contents:read` |
 | `repos` | `get_latest_release` | `contents:read` |
@@ -101,7 +96,7 @@ The generated table below is produced by `script/generate-docs` and lists every
 | `repos` | `list_branches` | `contents:read` |
 | `repos` | `list_commits` | `contents:read` |
 | `repos` | `list_releases` | `contents:read` |
-| `repos` | `list_repository_collaborators` | `administration:read` |
+| `repos` | `list_repository_collaborators` | `metadata:read` |
 | `repos` | `list_tags` | `contents:read` |
 | `repos` | `push_files` | `contents:write` |
 | `secret_protection` | `get_secret_scanning_alert` | `secret_scanning_alerts:read` |
diff --git a/pkg/github/projects.go b/pkg/github/projects.go
@@ -12,7 +12,6 @@ import (
 	ghErrors "github.com/github/github-mcp-server/pkg/errors"
 	"github.com/github/github-mcp-server/pkg/ifc"
 	"github.com/github/github-mcp-server/pkg/inventory"
-	"github.com/github/github-mcp-server/pkg/permissions"
 	"github.com/github/github-mcp-server/pkg/scopes"
 	"github.com/github/github-mcp-server/pkg/translations"
 	"github.com/github/github-mcp-server/pkg/utils"
@@ -274,7 +273,7 @@ Use this tool to list projects for a user or organization, or list project field
 				}
 			}
 		},
-	).WithPermissions(permissions.Require(permissions.OrganizationProjects.Read()))
+	)
 	return tool
 }
 
@@ -423,7 +422,7 @@ Use this tool to get details about individual projects, project fields, and proj
 				return utils.NewToolResultError(fmt.Sprintf("unknown method: %s", method)), nil, nil
 			}
 		},
-	).WithPermissions(permissions.Require(permissions.OrganizationProjects.Read()))
+	)
 	return tool
 }
 
@@ -673,7 +672,7 @@ func ProjectsWrite(t translations.TranslationHelperFunc) inventory.ServerTool {
 				return utils.NewToolResultError(fmt.Sprintf("unknown method: %s", method)), nil, nil
 			}
 		},
-	).WithPermissions(permissions.Require(permissions.OrganizationProjects.Write()))
+	)
 	return tool
 }
 
diff --git a/pkg/github/repositories.go b/pkg/github/repositories.go
@@ -676,7 +676,7 @@ func CreateRepository(t translations.TranslationHelperFunc) inventory.ServerTool
 
 			return utils.NewToolResultText(string(r)), nil, nil
 		},
-	).WithPermissions(permissions.Require(permissions.Administration.Write()))
+	)
 }
 
 // FetchRepoIsPrivate returns whether a repository is private. It is a thin
@@ -986,7 +986,7 @@ func ForkRepository(t translations.TranslationHelperFunc) inventory.ServerTool {
 
 			return utils.NewToolResultText(string(r)), nil, nil
 		},
-	).WithPermissions(permissions.Require(permissions.Administration.Write()))
+	)
 }
 
 // DeleteFile creates a tool to delete a file in a GitHub repository.
@@ -2795,5 +2795,5 @@ func ListRepositoryCollaborators(t translations.TranslationHelperFunc) inventory
 			callResult = attachStaticIFCLabel(ctx, deps, callResult, ifc.LabelCollaboratorRoster())
 			return callResult, nil, nil
 		},
-	).WithPermissions(permissions.Require(permissions.Administration.Read()))
+	).WithPermissions(permissions.Require(permissions.Metadata.Read()))
 }

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,6 @@ import (`
`12`	`12`	`ghErrors "github.com/github/github-mcp-server/pkg/errors"`
`13`	`13`	`"github.com/github/github-mcp-server/pkg/ifc"`
`14`	`14`	`"github.com/github/github-mcp-server/pkg/inventory"`
`15`		`- "github.com/github/github-mcp-server/pkg/permissions"`
`16`	`15`	`"github.com/github/github-mcp-server/pkg/scopes"`
`17`	`16`	`"github.com/github/github-mcp-server/pkg/translations"`
`18`	`17`	`"github.com/github/github-mcp-server/pkg/utils"`
`@@ -274,7 +273,7 @@ Use this tool to list projects for a user or organization, or list project field`
`274`	`273`	`}`
`275`	`274`	`}`
`276`	`275`	`},`
`277`		`- ).WithPermissions(permissions.Require(permissions.OrganizationProjects.Read()))`
	`276`	`+ )`
`278`	`277`	`return tool`
`279`	`278`	`}`
`280`	`279`
`@@ -423,7 +422,7 @@ Use this tool to get details about individual projects, project fields, and proj`
`423`	`422`	`return utils.NewToolResultError(fmt.Sprintf("unknown method: %s", method)), nil, nil`
`424`	`423`	`}`
`425`	`424`	`},`
`426`		`- ).WithPermissions(permissions.Require(permissions.OrganizationProjects.Read()))`
	`425`	`+ )`
`427`	`426`	`return tool`
`428`	`427`	`}`
`429`	`428`
`@@ -673,7 +672,7 @@ func ProjectsWrite(t translations.TranslationHelperFunc) inventory.ServerTool {`
`673`	`672`	`return utils.NewToolResultError(fmt.Sprintf("unknown method: %s", method)), nil, nil`
`674`	`673`	`}`
`675`	`674`	`},`
`676`		`- ).WithPermissions(permissions.Require(permissions.OrganizationProjects.Write()))`
	`675`	`+ )`
`677`	`676`	`return tool`
`678`	`677`	`}`
`679`	`678`
Original file line number	Diff line number	Diff line change
`@@ -676,7 +676,7 @@ func CreateRepository(t translations.TranslationHelperFunc) inventory.ServerTool`
`676`	`676`
`677`	`677`	`return utils.NewToolResultText(string(r)), nil, nil`
`678`	`678`	`},`
`679`		`- ).WithPermissions(permissions.Require(permissions.Administration.Write()))`
	`679`	`+ )`
`680`	`680`	`}`
`681`	`681`
`682`	`682`	`// FetchRepoIsPrivate returns whether a repository is private. It is a thin`
`@@ -986,7 +986,7 @@ func ForkRepository(t translations.TranslationHelperFunc) inventory.ServerTool {`
`986`	`986`
`987`	`987`	`return utils.NewToolResultText(string(r)), nil, nil`
`988`	`988`	`},`
`989`		`- ).WithPermissions(permissions.Require(permissions.Administration.Write()))`
	`989`	`+ )`
`990`	`990`	`}`
`991`	`991`
`992`	`992`	`// DeleteFile creates a tool to delete a file in a GitHub repository.`
`@@ -2795,5 +2795,5 @@ func ListRepositoryCollaborators(t translations.TranslationHelperFunc) inventory`
`2795`	`2795`	`callResult = attachStaticIFCLabel(ctx, deps, callResult, ifc.LabelCollaboratorRoster())`
`2796`	`2796`	`return callResult, nil, nil`
`2797`	`2797`	`},`
`2798`		`- ).WithPermissions(permissions.Require(permissions.Administration.Read()))`
	`2798`	`+ ).WithPermissions(permissions.Require(permissions.Metadata.Read()))`
`2799`	`2799`	`}`