Github Copilot Chat wants to sign in using github no matter what

[akshaal]

• VS Code Version: 1.86

Steps to Reproduce:

1. Open a private repository
2. Observe: The extension 'Github Copilot Chat' wants to sign in using Github. We need more permissions to work with this type of repository.
3. Click "Cancel"
4. Restart vscode.
5. Goto step 2.

The extension should remember my choice. I don't really understand why I should give github copilot chat every possible permission to every single private repository I use. Neither it might be possible for some organizations due to policies.

[isaachinman]

Also seeing this. Getting requests for additional permissions to edit GitHub workflow files every few minutes.

[JacoBriers]

+1. Don't understand why they need this:

This application will be able to read and write all public and private repository data. This includes the following:

Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys
Collaboration invites

[TylerLeonhardt]

We need the extra permissions (repo) in order to use a GitHub Search API because without it, it says the repo doesn't exist. GitHub doesn't split up repo permissions into read and write for this, unfortunately so we ask for the scope required to do the job.

We're asking for similar things to what the GitHub Pull Request & GitHub Repositories extension are asking for. Both extensions which our team owns.

You only need to approve of the additional permissions once, and then you shouldn't need to see it again. Trust me, if GitHub OAuth apps had a way to be more granular we'd take that approach, but the platform doesn't have it.

[joenap]

Since when does Microsoft ask for permissions? About to get unsubscribed.

[vladshcherbin]

Jesus Christ, this is annoying. Every vscode restart gives this dialog box and you can't even disable this Chat in extensions or via any setting 🤮

[isaachinman]

@TylerLeonhardt @Tyriar Do we have any estimate for when this will be fixed?

We are paying users and expect a functional product. Bugs happen but this should be patched ASAP.

[dawidpstrak]

This is too wide permissions you require imo

[TylerLeonhardt]

I am going to change this to not show a modal every time. You'll see it once and then future reloads will not show it and instead it'll be asked for in the account menu no longer in the forefront. The change will be in tomorrow's Prerelease extension.

[ayaankazerouni]

Hi @TylerLeonhardt Thanks for your responses! It appears this issue is really raising two issues:

1. The extension shouldn't keep popping up a modal asking for permissions after a user has answered it once. Seems like a fix is incoming for this. Thanks!
2. The second, broader question is why Copilot needs all these permissions.

I opened a discussion about this at community/community#106551 before I saw this issue. I don't know where this discussion should continue, so please let me know if I should post this comment there instead.

Trust me, if GitHub OAuth apps had a way to be more granular we'd take that approach, but the platform doesn't have it.

I understand that GitHub doesn't provide this granularity, but it really should. Do you have a suggestion about where or with whom we could raise that issue? (I know that you, individually, may not be the person with the power or ability to address these questions. So please interpret the following as a general question.)

While Copilot, VSCode, and GitHub OAuth may belong to different teams, and I understand the limited influence one team has on another, it's also true that they are all tied together under one parent corporation. The VSCode Copilot extension's README links to the GitHub Privacy Policy, which doesn't say anything about how access to private repos will be used, unless I missed it. So, while I understand that GitHub OAuth doesn't provide the granularity that this extension's developers want, the fact remains that we are bound by GitHub's privacy policy, which is a little tight-lipped on how this access is going to be used, now or in the future.

Perhaps this discussion should be had over at the community discussion forum.

[timbo-desosa-overhaul]

I got the prompt to allow access to this repo but I refused because the organization looks super suspicious? https://github.com/Visual-Studio-Code

I do see that @TylerLeonhardt is a contributor and also responding here so I guess it is legitimate, but it would be less scary if there were actually part of the microsoft org or had some content on a microsoft site verifying that it's legit.

Thanks!

[TylerLeonhardt]

@timbo-desosa-overhaul do you see the "Part of Microsoft Open Source" and that it's "verified"? We can't use the Microsoft org, it's not really reserved for our use cases and is very very locked down. I could add a README.

[shanewazabbas]

We need the extra permissions (repo) in order to use a GitHub Search API because without it, it says the repo doesn't exist.

But why is this an issue now

[TylerLeonhardt]

GitHub lit up a code search API (if you're a GH Copilot Enterprise user, you can trigger indexing of your repos on github.com) that is faster than the strategies we use locally... but the only way to check if we can use this API is if we get a more permissive token... we wanted users to take advantage of this in @workspace queries for a better experience so we ask for auth at startup if we don't have it.

My bug was that I wasn't checking if the user had Chat enabled before asking for this token. If you don't have access to chat, then minting that new token isn't needed and is just annoying.

By allowing the auth flow to succeed, you're not "turning on Chat" or anything remotely like that, you're just allowing a GitHub published extension to mint a new auth token that can be used to do more things with GitHub.

[shanewazabbas]

we wanted users to take advantage of this in @workspace queries for a better experience

If thats the case, can this just be locked under a setting to enable/disable it. I don't think its a blocker of a requirement for copilot to function, if I understand it correctly.

[TylerLeonhardt]

In prerelease, we now check if you have Chat enabled. Better than a setting.

This will land in stable next week.

[vladshcherbin]

HOW TO REMOVE THIS????????????????

I've switched to Pre-Release versions

copilot - v1.160.706 (pre-release) chat - v0.13.2024020201 (pre-release)

It's up for 2 weeks, I've probably closed this f modal more than 100 times

@TylerLeonhardt when or why it's not released/working???

[TylerLeonhardt]

@vladshcherbin do you or your organization have access to chat?

[Javier-Machin]

This is still a problem, as it seems it's not possible to install or enable only copilot without chat coming along, therefore the modal keeps appearing. Also I noticed that it works without the permissions, so I don't get why are you not asking for that once the relevant or the related feature that needs it is used, instead of across the board for everybody... There has to be a better way than closing the issue and leaving it in the annoying state it is now

[TylerLeonhardt]

We're being eager here because there are features that will start using these faster search APIs that may not have such a clear user interaction. In other words, we ask for this upfront before you get in the groove of coding, rather than a modal coming out of nowhere for some future feature that needs this.

I'm letting you know that for now, the extension can work without the additional permissions, but it's slower, and eventually, the extension will not work without this.

If you don't actually have chat enabled for your account and you're still seeing this issue on version 0.12.2 or the latest prerelease of Copilot Chat, then a bug remains that I need to fix.

If you do have chat enabled for your account, and you're on the latest prerelease of Copilot Chat the experience you should see is that you see the modal once and then future reloads of the window should only ask you in the account menu.

If you do have chat enabled for your account, and you're on version 0.12.2 you'll have the new behavior (only showing 1 modal) when 0.13.0 is released in 2 weeks.

As I stated above, we're talking about a GitHub extension asking for a token to do things with GitHub APIs. It's GitHub talking to GitHub.

Alternative workaround (since the latest copilot does ask for these new scopes now):

• Sign out of GitHub in VS Code
• Sign in to GitHub using the Copilot extension
• You should not see the modal from Copilot Chat at all

[ayaankazerouni]

I'm letting you know that for now, the extension can work without the additional permissions, but it's slower, and eventually, the extension will not work without this.

Should we not use Copilot if we're not prepared to allow read/write permissions to our public and private repos?

[akshaal]

I'm letting you know that for now, the extension can work without the additional permissions, but it's slower, and eventually, the extension will not work without this.

@TylerLeonhardt thank you for taking the time participating in the discussion. Just to double check I read it correctly. Does what you say really mean that the copilot will eventually refuse to assist with files that doesn't belong to a github repository? Like now I can simply do:

touch /tmp/x.sh && code /tmp/x.sh

and then ask copilot chat extension to help me with the script. Or I could download a tgz file with some source code, extract it to a directory, open that directory in the vscode and ask "@workspace what programming languages are used in the workspace?", and it gives me a useful answer that takes into account content of the files in the workspace - it just works, I've tested it now.

So, are you saying I will no longer be able to use copilot chat in the given scenarios? If the answer is 'yes - it will no longer work', then it's really a sad twist in the story... If 'no - it still will work without a github repository for the workspace' - then maybe you could reuse the same repositoryless strategy as a fallback for the case when the user doesn't want to or just can't grant the RW-token.

[crahan]

I've been trying to disable Copilot Chat after this recent permission update change, but I seem to be missing something. I have a GitHub Copilot Individual subscription and Copilot settings on GitHub don't appear to include an option to disable chat (like Organizations have).

If I uninstall the GitHub Copilot Chat extension, then the GitHub Copilot extension itself is uninstalled as well. If I disable the GitHub Copilot Chat extension, then the GitHub Copilot extension is disabled as well.

Can anyone shed some light on how the chat component can be disabled without uninstalling or disabling the GitHub Copilot extension as well?

[aaronclong]

Yeah, I'm getting this as well, but I only use this for work and it wants access to my personal repos:

The extension 'GitHub Copilot Chat' wants to sign in using GitHub. We need more permissions to work with this type of repository

@TylerLeonhardt I don't think this is sufficient. I don't want to give CoPilot access to my private repos when I only use it for work. There is no way to only set it for my work repos, which is extremely upsetting. Please reopen this. Despite Github's lack of granular permission, I should be able to select, which orgs I would like to index or not (https://github.com/microsoft/vscode-copilot-release/issues/813#issuecomment-1924677176).

Is there some kind of setting or config to just turn this feature off all together?

https://github.com/microsoft/vscode-copilot-release/issues/813#issuecomment-1930673126

[ash47]

This just started to affect me now, i am getting pop ups now, i use copilot everyday and today is the first day i've seen these modals, and I too don't really want to grant permissions for it to hit all my stuff when it worked fine before without it :(

[jtc1246]

This is a very stupid design, and I don't what the developers think. If I cancel, I can still use normally, but it will show every time I open a directory, and need to close manually each time. I am worried that the university can see my usage of copilot if I allow this, because they prohibit the usage of AI in homework and project.

[jtc1246]

Can be resolved by following:

Don't use github.com in url, use IP or setup a port forwarding server to github.com (I have only tested using IP, port forwarding server not tested). For example, if originally you use git clone git@github.com:aaa/bbbb.git, use git clone git@140.82.114.3:aaa/bbbb.git instead. The popup window will not show if doing like this.

[j-rahman]

I just encountered the same issue. I do not want to give unnecessary read/write access to my public and private repos just to be able to use Copilot. This is bad design, and should be fixed. Why is this active issue marked as "closed"?

[seanbhart]

yikes. this is certainly not a closed issue.

[notpeter]

@TylerLeonhardt I see that (in prerelease) you've fixed the persistence of this prompt (thanks). Are there other GH issues for the other outstanding concerns?

Specifically, many of us are surprised by:

We need the extra permissions (repo) in order to use a GitHub Search API because without it, it says the repo doesn't exist. GitHub doesn't split up repo permissions into read and write for this, unfortunately so we ask for the scope required to do the job.

The documentation for search/code makes no mention of such a limitation and claims to support scoped tokens. Is there an issue elsewhere we should be advocating for?

If you consider this issue (the aggressive prompting) closed, should I start a new issue to specifically discuss the over-scoped permissions request?

[ash47]

For me, it still pops up for every VS Code instance, and it takes long enough where I can be typing, hit enter for a new line right as it pops up and takes me to GitHub to auth.

Saying no isn't persistent.

On Thu, 29 Feb 2024, 5:23 am Peter Tripp, @.***> wrote:

@TylerLeonhardt https://github.com/TylerLeonhardt I see that (in prerelease) you've fixed the persistence of this prompt (thanks). Are there other GH issues for the other outstanding concerns?

Specifically, many of us are surprised by:

We need the extra permissions (repo) in order to use a GitHub Search API because without it, it says the repo doesn't exist. GitHub doesn't split up repo permissions into read and write for this, unfortunately so we ask for the scope required to do the job.

The documentation for search/code https://docs.github.com/en/rest/search/search?apiVersion=2022-11-28#search-code--fine-grained-access-tokens makes no mention of such a limitation and claims to support scoped tokens. Is there an issue elsewhere we should be advocating for?

If you consider this issue (the aggressive prompting) closed, should I start a new issue to specifically discuss the over-scoped permissions request?

— Reply to this email directly, view it on GitHub https://github.com/microsoft/vscode-copilot-release/issues/813#issuecomment-1969582068, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA4UUDTHYO7VCZUPCG3RDCDYV5Y3JAVCNFSM6AAAAABCVGBHRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRZGU4DEMBWHA . You are receiving this because you commented.Message ID: @.***>

[joshuatshaffer]

I managed to get this to stop by going to the GitHub Copilot Chat extension and selecting "Install Another Version..." and then choosing 0.11.1. That version does not have this bug.

[vladshcherbin]

Holy moly, after 3 weeks of everyday endless closing of modal window it's finally fixed for me with the latest vscode and copilot releases:

vscode: Version: 1.87.0 (Universal) copilot: v1.168.741 (pre-release) copilot chat: v0.13.2024022301 (pre-release)

To everyone subscribed - maybe it'll also fix it for you, give a try 🙌

[crahan]

Can't the GitHub Copilot extension be decoupled from the GitHub Copilot Chat extension? I don't need chat, I just need the functionality that GitHub Copilot provides.

Yet it's impossible to uninstall or disable the Copilot Chat extension without the Copilot extension also being uninstalled or disabled.

[akshaal]

This issue is marked as closed. I think a new issue needs to be created to get some attention to the problems raised in the discussion.

[aaronclong]

I opened a new issue for the Scope repo/org access: https://github.com/microsoft/vscode-copilot-release/issues/982

[bntzio]

Why is this closed? The issue hasn't been fixed yet...

[xieshuaix]

You could persist github login but not github copilot? I just don't get it.

[keivanpourzang]

my copilot chat extension no matter how many times I have logged in was ignoring the authentication, I have switched to older version and it fixed (v0.17.1)