GitHub App permissions

Zapat uses a GitHub App (not OAuth) for repository access. GitHub Apps use fine-grained permissions — you can see exactly what Zapat can and cannot do. Here is a breakdown of every permission Zapat requests.

Repository permissions

• Contents (read/write) — Required to clone the repository and push code changes. Zapat reads files to understand the codebase and writes commits with the implemented changes.
• Issues (read/write) — Required to read issue titles and bodies, add labels (e.g., "agent" after triage), and post comments (triage summary, progress updates).
• Pull requests (read/write) — Required to open pull requests, add review comments, request reviews, and update PR descriptions.
• Checks (read) — Required to read CI check results. Used by the ci-fix trigger to understand what tests failed.
• Metadata (read) — Required by all GitHub Apps. Provides basic repository information (name, visibility, default branch).

Event subscriptions

Zapat subscribes to these webhook events to trigger the pipeline:

• issues — Listens for "labeled" events to detect when you add a trigger label.
• pull_request — Listens for "labeled" events on PRs.
• issue_comment — Listens for new comments to detect @zapat mentions.
• pull_request_review — Listens for review submissions to detect "changes requested".
• check_suite — Listens for CI completions to detect failures and trigger ci-fix.
• installation — Listens for installation events to keep the GitHub App token up to date.

What Zapat cannot do

• Zapat cannot access repositories you have not explicitly selected during installation.
• Zapat cannot merge PRs without your explicit enablement of auto-merge.
• Zapat cannot access GitHub secrets, Actions workflows, or repository settings.
• Zapat cannot access GitHub organization membership or billing information.