Open brandonfranzke opened 8 months ago
Upon investigation, may that truly is the minimal permission level -- wow
https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps
Any estimate for level of work to use personal access tokens?
https://github.com/settings/personal-access-tokens/new
https://docs.github.com/en/rest/orgs/personal-access-tokens?apiVersion=2022-11-28
Based on https://github.com/octokit/octokit.rb:
It looks like its just a 1-for-1 replacement with the existing OAtuth token. So even just a user field to "update" token might work, but it would be even better -- given the security implications -- to simply prompt -- "Personal Access Token" or "Oauth" (understand its not so simple in implementation, especially user facing.
Thanks for the feature request! This is definitely a possibility we could look into—we'd need to integrate Github Apps to allow for more fine grained access so that would require some work on that end.
Related PRs #2060 #2061 -- to examine and adapt
I am testing github integration for several Autolab courses. Autolab is latest -- v2.12.0.
Docs claim a minimal set of permissions:
https://docs.autolabproject.com/features/git-submission/
But when I attempt to connect my git account with Oauth I am presented with an authorization request which looks like:
Is this the intended "minimum set of permissions" to pull the tgz -- Read/Write/Manage looks like administrator scope at my organization level, *.*
I tested with a newly created non associated GitHub account just in case there was weirdness with the Oauth app and requesting user being in the same organization. Same result.
What permissions should this be requesting? Is there some flag or configuration I need to change to achieve a minimal permission request? Is there something I need to change about the GitHub app itself?