Tenki Application level access
Review and understand what level of access each Tenki GitHub App requires on your GitHub Organization.
Tenki ships as two separate GitHub Apps that are installed independently:
- Tenki Code Reviewer, the AI-powered pull request review agent.
- Tenki Runner, the self-hosted GitHub Actions runner infrastructure.
Each app requests only the permissions it needs. If you only install Code Reviewer, you never grant Runner-level scopes, and vice versa. The sections below detail the exact permissions for each app.
Tenki Code Reviewer permissions
The Code Reviewer app needs read access to your code and the ability to post review comments on pull requests. It does not request the Administration permission.
This scope is comparable to other AI code review tools (such as CodeRabbit or Greptile) and is limited to repository content and pull request interactions.
| Permission | Access | Why it's required |
|---|---|---|
| Metadata | Read | Enumerate repositories and basic organization info so the app can be installed. |
| Pull requests | Read & Write | Read pull request diffs for analysis and post review comments and summaries. |
| Contents | Read | Read source files referenced in pull requests to provide contextual reviews. |
Tenki Runner permissions
The Runner app manages the lifecycle of self-hosted runners registered to your GitHub Organization. It requires broader permissions because GitHub's API mandates them for runner registration and workflow orchestration.
| Permission | Access | Why it's required |
|---|---|---|
| Metadata | Read | Enumerate repositories, workflows, and runs for monitoring and job routing. |
| Members | Read | List organization members to map Tenki workspace users to GitHub identities. |
| Actions | Read & Write | Read workflow runs and jobs, and trigger or cancel runs during runner management. |
| Contents | Read & Write | Used by the migration wizard to generate a pull request with the necessary workflow file changes. |
| Pull requests | Read & Write | Used by the migration wizard to open a pull request containing the updated workflow files. |
| Workflows | Read & Write | Read and update workflow configuration files (.github/workflows/) during migration. |
| Administration | Read & Write | Register and remove self-hosted runners at the organization level. GitHub's REST API requires this scope to call the Create a registration token for an organization endpoint, there is no alternative API path for org-level runner registration without it. |