Do some manual testing to verify with a key that only has those permissions
importing new project
refreshing the project
document the required permissions.
We should make it possible to update the credentials for a project in the future when we need it. Such as when we need to set commit statuses, we then need permission for that. But let's follow the "principle of least privilage"
When importing from either provider, you need an access key. The access this key needs has to be documented, as it's an obvious question that arises.
Todo:
We should make it possible to update the credentials for a project in the future when we need it. Such as when we need to set commit statuses, we then need permission for that. But let's follow the "principle of least privilage"