Support restricted mode with less github permissions: no write access to code

[gberche-orange]

Feature request

Currently, the hosted version requires the following permissions

Motivation

I'd need to experiment with some selected quodo features within the toollist ( /review ), and not yet enable other features such as ( /update_changelog or /test), in order to limit security risks to the rest of the github project, and prevent undesired side effects such as:

• inject malicious code in unrelated branches
• delete tag and create new tag pointing to malicious commit, potentially triggering new gh workflow

Is quodo using the contents github app permissions ?

As I understand, the contents github app permissions has pretty wide permissions

https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/choosing-permissions-for-a-github-app#about-github-app-permissions

For more information about specifying permissions during GitHub App registration, see Registering a GitHub App.

Screenshot from creating a github app

Link learn more:
https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2026-03-10#repository-permissions-for-contents

Is there a way qodo could provide a read-only app version for such progressive trials, which would have read-only access to repo, but only write access to the PR ?

Typically, the app would be given github write access to pull requests but no access to content

[qodo-free-for-open-source-projects]

💡 Auto-generated documentation-based answer:

The docs distinguish between GitHub App vs GitHub Action, and they require different GitHub permissions.

1) GitHub App (the model used by Qodo Merge hosted app)

• In the self-hosted “Run as a GitHub App” instructions, the app permissions include:
  • Pull requests: Read & write
  • Issue comment: Read & write
  • Metadata: Read-only
  • Contents: Read-only
    So per the documentation, the GitHub App setup uses contents permission, but as read-only (not write).

2) GitHub Action

• The sample workflow in the docs uses:
  • contents: write
    This is a workflow choice; you can reduce permissions in your workflow file if you only need read operations (but the docs example itself uses write).

3) Running only /review (and avoiding side-effect tools)
You can limit what runs automatically by configuring the GitHub App pr_commands list. For example, to run only review automatically:

[github_app]
pr_commands = ["/review"]

Or disable all automatic tools entirely:

[config]
disable_auto_feedback = true

Then you can manually invoke only what you want via PR comments (e.g., /review).

4) About tools that modify the repo (e.g., pushing commits)
Some tools can be configured to push changes (e.g., /update_changelog has push_changelog_changes). If you want to avoid any code-writing behavior, don’t enable such tools and keep “push” behaviors off. In the changelog tool docs, the default is to publish as a comment, not push.

What’s missing to answer precisely for the hosted app screenshot
The docs show “Contents: Read-only” for the GitHub App instructions, but they don’t list the exact permission set for the hosted marketplace app UI you screenshotted. If you share:

• whether you’re using Qodo Merge GitHub App (marketplace) or GitHub Action, and
• the exact permission names/scopes shown in the GitHub App install screen,
  I can map them to what each tool needs and suggest the minimal set for “review-only” usage.

Relevant Sources:

• https://docs.qodo.ai/qodo-documentation/code-review/qodo-merge/installation/github#run-as-a-github-app
• https://docs.qodo.ai/qodo-documentation/code-review/qodo-merge/usage-guide/automations_and_usage#github-app
• https://docs.qodo.ai/qodo-documentation/code-review/qodo-merge/usage-guide/automations_and_usage#qodo-merge-automatic-feedback
• https://docs.qodo.ai/qodo-documentation/code-review/qodo-merge/installation/github#run-as-a-github-action
• https://docs.qodo.ai/qodo-documentation/code-review/qodo-merge/tools/update_changelog#configuration-options