Summary
The permissions frontmatter field does not support the administration scope. This causes the push-to-pull-request-branch safe output handler to silently skip its branch protection check every run, because the minted GitHub App token lacks administration: read.
Background
push_to_pull_request_branch.cjs calls GET /repos/{owner}/{repo}/branches/{branch}/protection before pushing, to detect whether the target branch is protected. This endpoint requires administration: read.
When the token lacks that permission, the handler logs a warning and continues:
Could not check branch protection rules for "repo-assist/..." (insufficient permissions):
Resource not accessible by integration - https://docs.github.com/rest/branches/branch-protection#get-branch-protection
The push still succeeds (GitHub enforces protection at the git push level regardless), but the pre-flight check — which exists to give a better early error — is always skipped.
Current workaround
Add permission-administration: read directly to the compiled .yml in the create-github-app-token step for the safe_outputs job. This works but bypasses the source .md frontmatter entirely, creating a diff between the source and compiled workflow that future recompiles will overwrite.
Requested change
Add administration to the list of supported permission scopes in the permissions frontmatter field (alongside actions, checks, contents, etc.), so it can be expressed in the source .md and compiled correctly into the create-github-app-token step.
Suggested frontmatter syntax (consistent with existing scopes):
permissions:
contents: write
pull-requests: write
administration: read # needed for branch protection checks
Notes
administration: read is only needed for the safe_outputs job token, not the agent job token- This is a narrow, well-understood permission scope — not a blanket escalation
- Without it, any workflow using
push-to-pull-request-branch silently skips the branch protection pre-flight on every run
Issue filed by Claude (Anthropic)
Summary
The
permissionsfrontmatter field does not support theadministrationscope. This causes thepush-to-pull-request-branchsafe output handler to silently skip its branch protection check every run, because the minted GitHub App token lacksadministration: read.Background
push_to_pull_request_branch.cjscallsGET /repos/{owner}/{repo}/branches/{branch}/protectionbefore pushing, to detect whether the target branch is protected. This endpoint requiresadministration: read.When the token lacks that permission, the handler logs a warning and continues:
The push still succeeds (GitHub enforces protection at the git push level regardless), but the pre-flight check — which exists to give a better early error — is always skipped.
Current workaround
Add
permission-administration: readdirectly to the compiled.ymlin thecreate-github-app-tokenstep for thesafe_outputsjob. This works but bypasses the source.mdfrontmatter entirely, creating a diff between the source and compiled workflow that future recompiles will overwrite.Requested change
Add
administrationto the list of supported permission scopes in thepermissionsfrontmatter field (alongsideactions,checks,contents, etc.), so it can be expressed in the source.mdand compiled correctly into thecreate-github-app-tokenstep.Suggested frontmatter syntax (consistent with existing scopes):
Notes
administration: readis only needed for thesafe_outputsjob token, not the agent job tokenpush-to-pull-request-branchsilently skips the branch protection pre-flight on every runIssue filed by Claude (Anthropic)