GitHub App Permissions
What permissions StarSling requests and why
The StarSling GitHub App requests specific permissions to provide runner functionality and AI-powered optimizations.
Required Permissions
Repository Permissions
| Permission | Access | Purpose |
|---|---|---|
| Actions | Read & Write | Register runners and receive workflow job events |
| Checks | Read & Write | Report runner assignment and job status |
| Code | Read & Write | Read workflow and source files for AI optimization scanning, and commit proposed changes to pull request branches |
| Pull requests | Read & Write | Open AI optimization pull requests |
| Workflows | Read & Write | Propose changes to .github/workflows files via pull requests |
| Deployments | Read | Repository context for AI optimization analysis |
| Discussions | Read | Repository context for AI optimization analysis |
| Issues | Read | Repository context for AI optimization analysis |
| Metadata | Read | Basic repository information (required by all GitHub Apps) |
| Pages | Read | Repository context for AI optimization analysis |
| Repository hooks | Read | Receive webhook deliveries and view hook metadata |
| Security events | Read | Repository context for AI optimization analysis |
Organization Permissions
| Permission | Access | Purpose |
|---|---|---|
| Self-hosted runners | Read & Write | Register and manage runners at the organization level |
| Members | Read | Organization membership for access management |
| Organization hooks | Read | Receive webhook deliveries and view hook metadata |
Permission Details
Actions (Read & Write)
Why: StarSling needs to register self-hosted runners with your repository and receive webhook events when workflows start.
What we do:
- Register ephemeral runners
- Remove runners after job completion
- Receive
workflow_jobwebhooks
What we don't do:
- Modify your workflow files outside of a pull request you review (see Workflows)
- Access workflow run logs (except for optimization scanning)
Checks (Read & Write)
Why: To report runner assignment status and provide visibility into job execution.
What we do:
- Update check status when runner is assigned
- Report runner health information
Code (Read & Write)
Why: To read workflow definitions and repository source code for AI optimization scanning, and to commit proposed changes to pull request branches.
What we do:
- Read workflow definitions for optimization scanning
- Read source code files in your repository to provide context for AI optimization suggestions
- Process file contents in memory during analysis
- Commit optimization changes to a new branch and open a pull request
What we don't do:
- Persist source code beyond the temporary 24-hour AI analysis window (see Data Handling)
- Push to your default branch or existing branches — changes are isolated to pull request branches for your review
Pull Requests (Read & Write)
Why: To open AI optimization pull requests against your repository.
What we do:
- Open pull requests with optimization changes and explanations
What we don't do:
- Approve or merge pull requests
- Close or modify PR metadata
Workflows (Read & Write)
Why: To propose optimizations to your GitHub Actions workflow files.
What we do:
- Include updated
.github/workflows/*.ymlfiles in optimization pull requests
What we don't do:
- Change workflow files outside of a pull request you review and merge
Read-Only Permissions
The remaining read scopes — deployments, discussions, issues, pages, security events, repository and organization hooks, and organization members — give StarSling's agents repository and organization context for optimization analysis and let the app receive the webhook events that trigger runner provisioning. None of these are used to modify your repositories or organization.
Data Access Summary
| Data Type | Accessed | Stored | Retained |
|---|---|---|---|
| Workflow events | Yes | No | No |
| Workflow definitions | Yes | No | No |
| Source code (AI analysis) | Yes | Temporarily | 24 hours |
| Secrets | No | No | No |
| Environment variables | No | No | No |
For a full breakdown of access, storage, and retention, see Data Handling.
Security Practices
Secrets Passthrough
Your GitHub secrets are passed directly to the runner by GitHub. StarSling never sees, stores, or logs secret values.
Ephemeral Runners
Each job runs in its own single-use, hardware-isolated microVM that's destroyed after the run — there's nothing for a later job or a fork pull request to persist on or reach. This is the same isolation as GitHub-hosted runners. See Isolation for details.
Encrypted Transit
All communication uses TLS 1.3. Webhooks are verified using GitHub's signature.
Revoking Access
To remove StarSling:
- Go to your repository or organization settings
- Navigate to Integrations → GitHub Apps
- Find StarSling and click Configure
- Click Uninstall
After uninstalling:
- All runners are immediately deregistered
- No further webhooks are received
- No data is retained beyond 24 hours