kelos-dev · omercnet · Apr 19, 2026 · Apr 19, 2026 · Apr 19, 2026 · Apr 19, 2026
diff --git a/api/v1alpha1/task_types.go b/api/v1alpha1/task_types.go
@@ -154,6 +154,15 @@ type TaskSpec struct {
 	// PodOverrides allows customizing the agent pod configuration.
 	// +optional
 	PodOverrides *PodOverrides `json:"podOverrides,omitempty"`
+
+	// Repositories limits the GitHub App installation token to these
+	// repository names. When set and the workspace uses GitHub App
+	// authentication, the generated GITHUB_TOKEN can only access the
+	// listed repositories. Ignored when the workspace uses a PAT.
+	// Repository names are relative to the installation owner
+	// (e.g., "my-repo", not "org/my-repo").
+	// +optional
+	Repositories []string `json:"repositories,omitempty"`
 }
 
 // TaskStatus defines the observed state of Task.

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/internal/controller/task_controller.go b/internal/controller/task_controller.go
@@ -378,7 +378,10 @@ func (r *TaskReconciler) resolveGitHubAppToken(ctx context.Context, task *kelosv
 		}
 	}
 
-	tokenResp, err := tc.GenerateInstallationToken(ctx, creds)
+	opts := &githubapp.TokenOptions{
+		Repositories: task.Spec.Repositories,
+	}
+	tokenResp, err := tc.GenerateInstallationToken(ctx, creds, opts)
 	if err != nil {
 		return nil, fmt.Errorf("generating installation token: %w", err)
 	}

diff --git a/internal/githubapp/token.go b/internal/githubapp/token.go
@@ -17,6 +17,7 @@ limitations under the License.
 package githubapp
 
 import (
+	"bytes"
 	"context"
 	"crypto"
 	"crypto/rand"
@@ -51,6 +52,14 @@ type TokenResponse struct {
 	ExpiresAt time.Time
 }
 
+// TokenOptions configures optional scoping for installation tokens.
+type TokenOptions struct {
+	// Repositories limits the token to these repository names.
+	// Names are relative to the installation owner (e.g., "my-repo",
+	// not "org/my-repo").
+	Repositories []string `json:"repositories,omitempty"`
+}
+
 // TokenClient generates GitHub App installation tokens.
 type TokenClient struct {
 	BaseURL string
@@ -125,14 +134,25 @@ func parsePrivateKey(pemBytes []byte) (*rsa.PrivateKey, error) {
 }
 
 // GenerateInstallationToken exchanges GitHub App credentials for an installation token.
-func (tc *TokenClient) GenerateInstallationToken(ctx context.Context, creds *Credentials) (*TokenResponse, error) {
+// When opts is non-nil and contains Repositories, the token is scoped to those repositories.
+func (tc *TokenClient) GenerateInstallationToken(ctx context.Context, creds *Credentials, opts *TokenOptions) (*TokenResponse, error) {
 	jwt, err := generateJWT(creds)
 	if err != nil {
 		return nil, fmt.Errorf("generating JWT: %w", err)
 	}
 
 	url := fmt.Sprintf("%s/app/installations/%s/access_tokens", tc.baseURL(), creds.InstallationID)
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, nil)
+
+	var body io.Reader
+	if opts != nil && len(opts.Repositories) > 0 {
+		payload, err := json.Marshal(opts)
+		if err != nil {
+			return nil, fmt.Errorf("marshaling token options: %w", err)
+		}
+		body = bytes.NewReader(payload)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, body)
 	if err != nil {
 		return nil, fmt.Errorf("creating request: %w", err)
 	}
@@ -242,7 +262,7 @@ func (tp *TokenProvider) Token(ctx context.Context) (string, error) {
 		return tp.token, nil
 	}
 
-	resp, err := tp.client.GenerateInstallationToken(ctx, tp.creds)
+	resp, err := tp.client.GenerateInstallationToken(ctx, tp.creds, nil)
 	if err != nil {
 		// Fall back to cached token if it has not actually expired yet
 		if tp.token != "" && now.Before(tp.expiresAt) {

diff --git a/internal/githubapp/token_test.go b/internal/githubapp/token_test.go
@@ -24,6 +24,7 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -230,7 +231,7 @@ func TestGenerateInstallationToken(t *testing.T) {
 		Client:  server.Client(),
 	}
 
-	resp, err := tc.GenerateInstallationToken(context.Background(), creds)
+	resp, err := tc.GenerateInstallationToken(context.Background(), creds, nil)
 	if err != nil {
 		t.Fatalf("GenerateInstallationToken: %v", err)
 	}
@@ -417,8 +418,125 @@ func TestGenerateInstallationToken_Error(t *testing.T) {
 		Client:  server.Client(),
 	}
 
-	_, err = tc.GenerateInstallationToken(context.Background(), creds)
+	_, err = tc.GenerateInstallationToken(context.Background(), creds, nil)
 	if err == nil {
 		t.Error("expected error for 401 response")
 	}
 }
+
+func TestGenerateInstallationToken_WithRepositories(t *testing.T) {
+	_, keyPEM := generateTestKey(t)
+
+	expiresAt := time.Now().Add(1 * time.Hour).UTC().Truncate(time.Second)
+
+	var receivedBody map[string]interface{}
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		body, err := io.ReadAll(r.Body)
+		if err != nil {
+			t.Fatalf("reading request body: %v", err)
+		}
+		if len(body) > 0 {
+			if err := json.Unmarshal(body, &receivedBody); err != nil {
+				t.Fatalf("unmarshaling request body: %v", err)
+			}
+		}
+
+		w.WriteHeader(http.StatusCreated)
+		json.NewEncoder(w).Encode(map[string]interface{}{
+			"token":      "ghs_scoped_token",
+			"expires_at": expiresAt.Format(time.RFC3339),
+		})
+	}))
+	defer server.Close()
+
+	creds, err := ParseCredentials(map[string][]byte{
+		"appID":          []byte("12345"),
+		"installationID": []byte("67890"),
+		"privateKey":     keyPEM,
+	})
+	if err != nil {
+		t.Fatalf("ParseCredentials: %v", err)
+	}
+
+	tc := &TokenClient{
+		BaseURL: server.URL,
+		Client:  server.Client(),
+	}
+
+	opts := &TokenOptions{
+		Repositories: []string{"my-repo", "other-repo"},
+	}
+	resp, err := tc.GenerateInstallationToken(context.Background(), creds, opts)
+	if err != nil {
+		t.Fatalf("GenerateInstallationToken: %v", err)
+	}
+
+	if resp.Token != "ghs_scoped_token" {
+		t.Errorf("Token = %q, want %q", resp.Token, "ghs_scoped_token")
+	}
+
+	// Verify the request body contained the repositories
+	repos, ok := receivedBody["repositories"]
+	if !ok {
+		t.Fatal("request body missing 'repositories' field")
+	}
+	repoList, ok := repos.([]interface{})
+	if !ok {
+		t.Fatalf("repositories is not an array: %T", repos)
+	}
+	if len(repoList) != 2 {
+		t.Errorf("repositories length = %d, want 2", len(repoList))
+	}
+	if repoList[0] != "my-repo" || repoList[1] != "other-repo" {
+		t.Errorf("repositories = %v, want [my-repo other-repo]", repoList)
+	}
+}
+
+func TestGenerateInstallationToken_NilOpts(t *testing.T) {
+	_, keyPEM := generateTestKey(t)
+
+	expiresAt := time.Now().Add(1 * time.Hour).UTC().Truncate(time.Second)
+
+	var requestBodyEmpty bool
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		body, _ := io.ReadAll(r.Body)
+		requestBodyEmpty = len(body) == 0
+
+		w.WriteHeader(http.StatusCreated)
+		json.NewEncoder(w).Encode(map[string]interface{}{
+			"token":      "ghs_unscoped",
+			"expires_at": expiresAt.Format(time.RFC3339),
+		})
+	}))
+	defer server.Close()
+
+	creds, err := ParseCredentials(map[string][]byte{
+		"appID":          []byte("12345"),
+		"installationID": []byte("67890"),
+		"privateKey":     keyPEM,
+	})
+	if err != nil {
+		t.Fatalf("ParseCredentials: %v", err)
+	}
+
+	tc := &TokenClient{BaseURL: server.URL, Client: server.Client()}
+
+	// nil opts should send no body (backward compatible)
+	_, err = tc.GenerateInstallationToken(context.Background(), creds, nil)
+	if err != nil {
+		t.Fatalf("GenerateInstallationToken: %v", err)
+	}
+	if !requestBodyEmpty {
+		t.Error("expected empty request body for nil opts")
+	}
+
+	// Empty repositories should also send no body
+	requestBodyEmpty = false
+	_, err = tc.GenerateInstallationToken(context.Background(), creds, &TokenOptions{})
+	if err != nil {
+		t.Fatalf("GenerateInstallationToken with empty opts: %v", err)
+	}
+	if !requestBodyEmpty {
+		t.Error("expected empty request body for empty opts")
+	}
+}
diff --git a/internal/manifests/charts/kelos/templates/crds/task-crd.yaml b/internal/manifests/charts/kelos/templates/crds/task-crd.yaml
@@ -375,6 +375,17 @@ spec:
               prompt:
                 description: Prompt is the task prompt to send to the agent.
                 type: string
+              repositories:
+                description: |-
+                  Repositories limits the GitHub App installation token to these
+                  repository names. When set and the workspace uses GitHub App
+                  authentication, the generated GITHUB_TOKEN can only access the
+                  listed repositories. Ignored when the workspace uses a PAT.
+                  Repository names are relative to the installation owner
+                  (e.g., "my-repo", not "org/my-repo").
+                items:
+                  type: string
+                type: array
               ttlSecondsAfterFinished:
                 description: |-
                   TTLSecondsAfterFinished limits the lifetime of a Task that has finished

diff --git a/internal/manifests/install-crd.yaml b/internal/manifests/install-crd.yaml
@@ -599,6 +599,17 @@ spec:
               prompt:
                 description: Prompt is the task prompt to send to the agent.
                 type: string
+              repositories:
+                description: |-
+                  Repositories limits the GitHub App installation token to these
+                  repository names. When set and the workspace uses GitHub App
+                  authentication, the generated GITHUB_TOKEN can only access the
+                  listed repositories. Ignored when the workspace uses a PAT.
+                  Repository names are relative to the installation owner
+                  (e.g., "my-repo", not "org/my-repo").
+                items:
+                  type: string
+                type: array
               ttlSecondsAfterFinished:
                 description: |-
                   TTLSecondsAfterFinished limits the lifetime of a Task that has finished