# GitHub App Permissions (/configuration/github-app-permissions) The StarSling GitHub App requests specific permissions to provide runner functionality and AI-powered optimizations. ## Required Permissions ### Repository Permissions | Permission | Access | Purpose | | -------------------- | ------------ | ----------------------------------------------------------------------------------------------------------------- | | **Actions** | Read & Write | Register runners and receive workflow job events | | **Checks** | Read & Write | Report runner assignment and job status | | **Code** | Read & Write | Read workflow and source files for AI optimization scanning, and commit proposed changes to pull request branches | | **Pull requests** | Read & Write | Open AI optimization pull requests | | **Workflows** | Read & Write | Propose changes to `.github/workflows` files via pull requests | | **Deployments** | Read | Repository context for AI optimization analysis | | **Discussions** | Read | Repository context for AI optimization analysis | | **Issues** | Read | Repository context for AI optimization analysis | | **Metadata** | Read | Basic repository information (required by all GitHub Apps) | | **Pages** | Read | Repository context for AI optimization analysis | | **Repository hooks** | Read | Receive webhook deliveries and view hook metadata | | **Security events** | Read | Repository context for AI optimization analysis | ### Organization Permissions | Permission | Access | Purpose | | ----------------------- | ------------ | ----------------------------------------------------- | | **Self-hosted runners** | Read & Write | Register and manage runners at the organization level | | **Members** | Read | Organization membership for access management | | **Organization hooks** | Read | Receive webhook deliveries and view hook metadata | ## Permission Details ### Actions (Read & Write) **Why:** StarSling needs to register self-hosted runners with your repository and receive webhook events when workflows start. **What we do:** * Register ephemeral runners * Remove runners after job completion * Receive `workflow_job` webhooks **What we don't do:** * Modify your workflow files outside of a pull request you review (see [Workflows](#workflows-read--write)) * Access workflow run logs (except for optimization scanning) ### Checks (Read & Write) **Why:** To report runner assignment status and provide visibility into job execution. **What we do:** * Update check status when runner is assigned * Report runner health information ### Code (Read & Write) **Why:** To read workflow definitions and repository source code for AI optimization scanning, and to commit proposed changes to pull request branches. **What we do:** * Read workflow definitions for optimization scanning * Read source code files in your repository to provide context for AI optimization suggestions * Process file contents in memory during analysis * Commit optimization changes to a new branch and open a pull request **What we don't do:** * Persist source code beyond the temporary 24-hour AI analysis window (see [Data Handling](/security/data-handling)) * Push to your default branch or existing branches — changes are isolated to pull request branches for your review ### Pull Requests (Read & Write) **Why:** To open AI optimization pull requests against your repository. **What we do:** * Open pull requests with optimization changes and explanations **What we don't do:** * Approve or merge pull requests * Close or modify PR metadata ### Workflows (Read & Write) **Why:** To propose optimizations to your GitHub Actions workflow files. **What we do:** * Include updated `.github/workflows/*.yml` files in optimization pull requests **What we don't do:** * Change workflow files outside of a pull request you review and merge ### Read-Only Permissions The remaining read scopes — deployments, discussions, issues, pages, security events, repository and organization hooks, and organization members — give StarSling's agents repository and organization context for optimization analysis and let the app receive the webhook events that trigger runner provisioning. None of these are used to modify your repositories or organization. ## Data Access Summary | Data Type | Accessed | Stored | Retained | | ------------------------- | -------- | ----------- | -------- | | Workflow events | Yes | No | No | | Workflow definitions | Yes | No | No | | Source code (AI analysis) | Yes | Temporarily | 24 hours | | Secrets | No | No | No | | Environment variables | No | No | No | For a full breakdown of access, storage, and retention, see [Data Handling](/security/data-handling). ## Security Practices ### Secrets Passthrough Your GitHub secrets are passed directly to the runner by GitHub. StarSling never sees, stores, or logs secret values. ### Ephemeral Runners Each job runs in its own single-use, hardware-isolated microVM that's destroyed after the run — there's nothing for a later job or a fork pull request to persist on or reach. This is the same isolation as GitHub-hosted runners. See [Isolation](/security/data-handling#isolation) for details. ### Encrypted Transit All communication uses TLS 1.3. Webhooks are verified using GitHub's signature. ## Revoking Access To remove StarSling: 1. Go to your repository or organization settings 2. Navigate to **Integrations** → **GitHub Apps** 3. Find StarSling and click **Configure** 4. Click **Uninstall** After uninstalling: * All runners are immediately deregistered * No further webhooks are received * No data is retained beyond 24 hours