GitHub — Fine-grained PAT for Per-repo Access Control
How to give Claude Code (or any tool) read-only access to specific GitHub repos while keeping full access to others, using fine-grained Personal Access Tokens.
Why / When to Use
Use when working in a multi-repo workspace and you want to allow Claude Code to read but not push to certain repositories (e.g., vendor repos, reference codebases, sensitive configs).
Core Concept / Commands
Step 1 — Create a fine-grained PAT
- GitHub → Settings → Developer settings → Personal access tokens → Fine-grained tokens
- Create a token scoped to specific repositories
- Set permissions per-repo:
- Read-only repo:
Contents: Read-only - Full-access repo:
Contents: Read and write
- Read-only repo:
Step 2 — Configure git remotes to use different tokens
# Read-only repo — use read-only token
git remote set-url origin https://<READ_ONLY_TOKEN>@github.com/user/repo-a.git
# Full access repo — use full token
git remote set-url origin https://<FULL_TOKEN>@github.com/user/repo-b.gitKey Options / Variants
Two-layer read-only enforcement (stronger)
Fine-grained PAT alone only blocks remote pushes. Claude Code can still edit files locally. To block local edits too, combine with:
# Block all local writes to the repo directory
chmod -R a-w /path/to/read-only-repo/
# Or use Claude Code's settings.json deny rules| Layer | What it blocks |
|---|---|
| Fine-grained PAT | git push rejected by GitHub (403) |
chmod -R a-w / settings.json | Local file edits blocked by OS/Claude |
Gotchas
- PAT is embedded in the remote URL — don’t commit
.git/configto version control chmod -R a-wis aggressive; undo withchmod -R u+wwhen you need to update the repo manually- Fine-grained PATs have an expiry date — set a calendar reminder to rotate
Source
Conversation: “Multiple GitHub repositories in one workspace” — 2026-05-18