What permission does a Github Action need to call graphql enablePullRequestAutoMerge?

[jaqx0r]

I’m setting permissions on my workflows, and this is an OK experience for REST API as the permissions required are mostly documented there. However the GraphQL API documentation doesn’t describe the permissions required for the calls.

I am trying to set permissions for a workflow that enables automerge, which is via the GraphQL API: https://docs.github.com/en/graphql/reference/mutations#enablepullrequestautomerge though there are many similar, and the few that document the requirements on the token ask for full ‘repo’ access.

I’m not convinced that the token needs ‘repo’ ; perhaps it’s just pull_request: write? But I can’t tell without experimenting with the workflow config and retriggering them, and I’m not keen to do that – does anyone know the answer, and/or know where the GraphQL permissions are documented?

Further to that; is there a mapping of the permissions documented here: Authentication in a workflow - GitHub Docs to the token scopes you choose when Creating a Personal Access Token?

(I’d link to the last document, but this tool won’t let me post more than two URLs.)

[jsoref]

I filed a bug in response to a similar item:

  <a href="https://github.com/github/docs/issues/8925" target="_blank" rel="noopener">github.com/github/docs</a>

GraphQL API content does not appear to explain required permissions

<div class="github-info">
  <div class="date">
    opened <span class="discourse-local-date" data-format="ll" data-date="2021-08-10" data-time="03:33:30" data-timezone="UTC">03:33AM - 10 Aug 21 UTC</span>
  </div>


  <div class="user">
    <a href="https://github.com/jsoref" target="_blank" rel="noopener">
      <img alt="jsoref" src="https://user-images.githubusercontent.com/2119212/181086049-2fce8cd4-5726-470f-b743-39783450b556.png" class="onebox-avatar-inline" width="20" height="20">
      jsoref
    </a>
  </div>
</div>

<div class="labels">
    <span style="display:inline-block;margin-top:2px;background-color: #B8B8B8;padding: 2px;border-radius: 4px;color: #fff;margin-left: 3px;">
      content
    </span>
</div>

### Code of Conduct

• I have read and agree to the GitHub Docs project's Co…de of Conduct.

What article on docs.github.com is affected?

https://docs.github.com/en/graphql/guides/forming-calls-with-graphql#authenticating-with-graphql

What part(s) of the article would you like to see updated?

#authenticating-with-graphql

The section that talks about authentication really doesn't help understand what permissions one needs to do things

A forum post asked about converting a PR to/from draft.

Additional information

The v3 API has a long page that makes it possible to try to figure out what permissions one might need:
https://docs.github.com/en/rest/reference/permissions-required-for-github-apps#permission-on-pull-requests

But, I really can't find any equivalent for the v4 api.

For reference, here's the mutation in question:
https://docs.github.com/en/graphql/reference/mutations#convertpullrequesttodraft

[sharwell]

With some trial-and-error in a test repository, I found the minimum permissions to execute the enablePullRequestAutoMerge mutation are:

permissions:
  contents: write

[kyanny]

As of 2024-05-24, both contents: write and pull-requests: write permissions are required.

Minimum working example:

name: enable PR auto-merge

on:
  pull_request:
    types:
      - opened

jobs:
  enable-auto-merge:
    runs-on: ubuntu-latest

    # https://github.com/orgs/community/discussions/24686
    permissions: 
      contents: write
      pull-requests: write

    steps:
      - run: |
          gh api graphql -f pullRequestId="${{ github.event.pull_request.node_id }}" -f query='
          mutation EnablePullRequestAutoMerge($pullRequestId: ID!) {
            enablePullRequestAutoMerge(input: {pullRequestId: $pullRequestId}) {
              clientMutationId
            }
          }
          '
        env:
          GH_TOKEN: ${{ github.token }}

[jaqx0r]

Confirmed that contents: write is the necessary permission. Thanks!