When creating an app installation access token with the GitHub API, it is optionally possible restrict the repositories accessible to the token as well as the permissions that are available to the token. The requested repositories and permissions must be subsets of the configuration for the app installation in GitHub. See https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app for details.

We should expose options in Jenkins so that users can choose to restrict the access available to GitHub App credentials when they are used in a context where Jenkins knows what organization and/or repository needs to be accessed. For example, Organization Folders and Multibranch Pipelines should be able to be configured to use a single GitHub app credentials, but if the credentials are used in the individual Pipeline jobs, the generated app installation access tokens should only have access to that specific repository and the configured permissions, even if they are retrieved directly via something like the withCredentials step in a Pipeline.