Jenkins GitHub access token - Enable Checks but not Write code

Question

I'm trying to set up Jenkins Multi-branch pipelines to add status checks to my GitHub private org repos. Blue Ocean requires the bot-user to have write (maybe more) privileges, listed as so:

I would like to pull code, write status checks but not push code. Is there any combination/workaround that will enable this?

---

P.s. I'm not entirely confident in what each scope enables and what permission level of collaborator (read/write/admin) they need even though I've read the hyperlinked docs.

Answer 1

A personal access token grants a user API access at the same level of their permissions within GitHub, never greater. For example if the user has read access to a repo and the token is marked as "Full control" then they will still only have read access to that repo.

Writing a Status Check requires the user to have Write, Maintain or Admin permission to your repos as described in this page: https://help.github.com/en/articles/repository-permission-levels-for-an-organization

Write, as the name suggests, grants push permission to your repo so you will need to think about how to proceed.

I assume you're using GitHub.com (rather than GitHub Enterprise) so would suggest the following:

1. Grant the bot-user write access to your repo

2. Create a team of users who require push access

3. Enable the branch restriction "Restrict who can push to this branch"
4. Add the newly created team you to the restriction
5. Set the "Branch name pattern" to *

https://help.github.com/en/articles/enabling-branch-restrictions

This will apply the restriction to all branches within your repo and prevent the user from pushing, but does not prevent the writing of status checks.

If you were using GitHub Enterprise I would consider a pre-receive hook to prevent the bot-user from being able to push code into your repos.

Mick