Cursor asks for over-broad Github permissions when indexing my codebase.

[Taytay]

When indexing my entire codebase, Cursor asks for the following permissions:

Repositories
Public and private
This application will be able to read and write all public and private repository data. This includes the following:

Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys
Collaboration invites
Note: In addition to repository related resources, the repo scope also grants access to manage organization attributes and organization-owned resources including projects, invitations, team memberships and webhooks. This scope also grants the ability to manage projects owned by users.

I want to use Cursor, and I am okay with it reading our code, but this level of permissions is not going to fly with our folks. Is there a way to tone this down and limit it to reading/writing code?

[truell20]

Working on a change to codebase indexing that doesn't require Github access at all! That should hopefully help fix this issue.

[Taytay]

Thanks!

For what it's worth, I'm okay with reading code too, but being able to read and write all of those other fields of our GitHub org would increase the surface area so much that you'd you (and thus we) become a very juicy target for hackers.

[abdul-hamid-achik]

it seems now you can code index without github at all! its very interesting and works great

[birkskyum]

I wanted to make a fork of a repo, and am prompted with this - granting full access even to all orgs etc. I'm part of seems way too much. Would love something much more granular as I can't responsibly tick that box.