Closed rht closed 1 year ago
that's the oauth login which we discard the token for immediately -- github doesn't give us a way to turn it off but if you don't log in you don't need it
But I'm logged in to GH all the time. How am I sure that the token is discarded immediately?
that's different -- so github apps are two components: (1) the app install and (2) the oauth login
the former is what happens when you install pre-commit.ci on an org/user, it does not involve the "act on your behalf" privilege. the latter is the oauth token which is handed to pre-commit.ci when performing the login flow (such that pre-commit.ci can know what user you are so it can display your installs).
once the app is installed you can log out of pre-commit.ci and never log in again and the oauth token will be destroyed (technically it's inaccessible before that because we discard it but I suspect you're extra paranoid so you can take that extra step) -- you can also remove the oauth authorization explicitly via https://github.com/settings/apps/authorizations (I suspect you'll find other things there -- each of those also "can act on your behalf")
pre-commit.ci will never perform actions on behalf of a user -- all actions will be performed by pre-commit-ci[bot]
it does really suck that github doesn't let us do an oauth login without having "act on your behalf" show up despite setting zero permissions for that
OK thank you for the clarification.
(I suspect you'll find other things there -- each of those also "can act on your behalf")
I usually make sure not to grant such apps. Though I found at least travis-ci being granted (and I finally revoked it).
I suspect this is why most oauth apps set "Read-only emails" so that the messaging looks slightly less scary -- but really is more permissions than we set (zero)
(such that pre-commit.ci can know what user you are so it can display your installs).
You could reduce the permission scope option if you use the public API to fetch a user's public repos only? Not saying this is the majority of the case, but it is quite sizeable.
it's not the repository list -- that's all in app-install land -- it's just that initial list of installations (like my account has installs for asottile, pre-commit, pre-commit-ci, pycqa, pytest-dev, etc. etc. etc.)
We tried to use pre-commit.ci on projectmesa/mesa, in https://github.com/projectmesa/mesa/pull/1422. We decided not to enable the
autofix_prs
option. Yet, when I tried to enable pre-commit.ci, I encountered the GH permission request so that pre-commit.ci can act on my behalf. Is there a way to make this optional, since we don't use the autofix feature anyway?