Expanded permissions for the Expo GitHub bot

Dan KellyDan Kelly

You may have received (or will soon receive) an email from GitHub asking you to approve updated permissions for the Expo GitHub App. This is a legitimate request from us.

What to do: Click approve when you see the GitHub email. That's it.

Why we're requesting new permissions

We're building new features for the Expo GitHub App and GitHub's permission model requires apps to request expanded access before they can use new API capabilities, which is why you're seeing this email now, ahead of the features themselves. We need “Repository Administration” access to enable automatic EAS project setup for new and existing repositories.

We'll share details about the specific features as they roll out.

What the Expo GitHub App does today

The Expo GitHub App is what connects your GitHub repositories to EAS. When you install it and link a repo to an Expo project, it enables:

  • Triggering EAS Workflows from pushes, pull requests, and tags
  • Posting workflow results (like build and update links) as GitHub PR comments
  • Reading your repository contents to run builds and updates on EAS

These existing features will continue to work regardless of whether you approve the new permissions.

What happens if you don't approve

Nothing breaks. If you choose not to approve the updated permissions, your current EAS Workflows, builds, and updates will continue to function normally. You can also set up a brand new Expo account, connect it to an existing GitHub project, and run workflows without issue.

The only thing you'll miss out on is access to the new agentic features as they become available. You can always approve the permissions later when you're ready.

A note for enterprise teams

We understand that broadly scoped permissions require careful review, especially for organizations with strict access policies. Here's what you should know:

  • The new permissions are additive. They don't change how existing features work or what data they access.
  • You can leave them off. Every current integration (EAS Workflows, builds, updates, PR comments) works without the new permissions.
  • You can approve later. There's no deadline. When the new features ship, you can evaluate whether they're useful for your team and approve at that point.

If your organization has questions about the specific permission scopes being requested, reach out to us at security@expo.dev or on Discord.