GitHub
Published on May 25th, 2026Introduction
The Context Store has several GitHub templated Data Sources to allow users to quickly pull relevant data into their Data Store. These templates are a starting point and often you'll want to apply filters or chained Data Sources to modify these templates to suit your needs.
Authentication
The built-in GitHub Data sources are split across two integrations:
github-enterprise-app(GitHub App installation auth)github-enterprise-token(PAT/header auth)
Pre-built Data Sources
This table lists the GitHub API permissions needed for the GitHub data source seeds currently defined in this repo.
GitHub App
GitHub App integrations use installation tokens, not PAT scopes.
This table lists the GitHub API permissions needed for the GitHub App data source seeds currently defined in this repo (integrationSlug: github-app).
Permissions below are expressed as GitHub App permissions.
| Data source seed | GitHub endpoint(s) used | Recommended GitHub App permission(s) |
|---|---|---|
GitHub App installation | GET /installation | Metadata (read) |
GitHub App repositories | GET /installation/repositories | Metadata (read) |
GitHub App pull requests (per repo) | GET /installation/repositories then GET /repos/{full_name}/pulls?state=open | Metadata (read), Pull requests (read) |
GitHub App releases (per repo) | GET /installation/repositories then GET /repos/{full_name}/releases | Metadata (read), Contents (read) |
GitHub App Actions workflows | GET /installation/repositories then GET /repos/{full_name}/actions/workflows | Metadata (read), Actions (read) |
GitHub App Dependabot alerts (per repo) | GET /installation/repositories then GET /repos/{full_name}/dependabot/alerts?state=open | Metadata (read), Dependabot alerts (read) |
GitHub App collaborators (per repo) | GET /installation/repositories then GET /repos/{full_name}/collaborators | Metadata (read), Administration (read) |
GitHub App markdown files (per repo) | GET /installation/repositories then GET /search/code?q=extension:md+repo:{full_name} | Metadata (read), Contents (read) |
GitHub App YAML files (per repo) | GET /installation/repositories then GET /search/code?q=extension:yaml+extension:yml+repo:{full_name} | Metadata (read), Contents (read) |
Practical recommendation
For broad compatibility with all current GitHub App seeds, configure:
Metadata(read)Pull requests(read)Contents(read)Actions(read)Dependabot alerts(read)Administration(read)
If possible, grant permissions at the lowest repository scope needed by your installation.
PAT Tokens
The built-in github-token integration uses Personal Access Token-based auth.
Permissions below are expressed as classic PAT scopes, with notes where fine-grained token permissions are relevant.
| Data source seed | GitHub endpoint(s) used | Recommended token permission(s) |
|---|---|---|
GitHub repositories | GET /user/repos | repo |
GitHub organizations | GET /user/orgs | read:org |
GitHub open pull requests | GET /search/issues?q=is:pr+is:open+author:@me | repo |
GitHub pull requests (per repo) | GET /user/repos then GET /repos/{full_name}/pulls?state=open | repo |
GitHub releases (per repo) | GET /user/repos then GET /repos/{full_name}/releases | repo |
GitHub Actions workflows | GET /user/repos then GET /repos/{full_name}/actions/workflows | repo, workflow |
GitHub installed apps | GET /user/installations | Token tied to account with app-installation visibility |
GitHub codespaces | GET /user/codespaces | codespace (or equivalent Codespaces read permission) |
GitHub organization members | GET /user/orgs then GET /orgs/{login}/members | read:org |
GitHub teams | GET /user/orgs then GET /orgs/{login}/teams | read:org |
GitHub Dependabot alerts (per repo) | GET /user/repos then GET /repos/{full_name}/dependabot/alerts?state=open | repo, security_events |
GitHub collaborators (per repo) | GET /user/repos then GET /repos/{full_name}/collaborators | repo, read:org |
GitHub catalog-info.yaml files | GET /search/code?q=filename:catalog-info.yaml+org:{org} | repo (private repos), read:org |
GitHub markdown files | GET /search/code?q=extension:md+org:{org} | repo (private repos), read:org |
GitHub YAML files | GET /search/code?q=extension:yaml+extension:yml+org:{org} | repo (private repos), read:org |
For broad compatibility with all GitHub seeds, start with:
reporead:orgworkflowsecurity_eventscodespace(only if you need the codespaces seed)
If you use fine-grained tokens, grant the equivalent repository/org read permissions for each endpoint category above.