perfloopnotify me →

Connect GitHub.

A fine-grained GitHub App on repositories you select. Tokens expire hourly, every action lands in your audit log, and the merge is always yours: the data contract, applied to code.

gitlab and bitbucket: planned · their guides ship with their connectors

The permission surface

  • contents · readSource of the repositories you select, and only those. Code enters model context on Vertex AI inside Google Cloud; it is never used to train models and never reaches a vendor outside GCP.
  • pull requests · read & writeThe write path: Perfloop opens PRs. It cannot merge, approve, or mark ready.
  • contents · write, case branches onlyGitHub requires it to push the branch a PR comes from. We push only perfloop-pr-open-*; your branch protection makes the rest untouchable. Fork mode drops this permission entirely.
  • metadata · readMandatory for every GitHub App. Repo names and topology only.

Not requested: administration, actions, secrets, members, or any organization-level permission. Tokens are minted per operation and expire after an hour; there are no stored keys to leak.

Two modes

  • Branch mode (default). PRs from perfloop-pr-open-* branches in your repo. Simplest review flow.
  • Fork mode (zero write). PRs arrive cross-fork; the app holds no write permission of any kind on your repositories. Trade-off: CI on cross-fork PRs depends on your workflow-approval settings.

Setup

1 · install, scoped

Install the app with Only select repositories, starting with one non-critical repo. Expanding or shrinking later is one click on the installation page.

2 · protect the merge

# branch protection makes "perfloop can never merge" github's rule:
gh api repos/$OWNER/$REPO/branches/main/protection -X PUT \
  -f required_pull_request_reviews[required_approving_review_count]=1

3 · verify the surface

# the installation page lists what the app can touch; the org
# audit log shows everything it has done:
settings → github apps → perfloop · gh api orgs/$ORG/installations

Revocation

Uninstall the app, or remove repositories from the installation. Effective immediately, on your side.

questions from your security team: security@perfloop.ai