Signing in with GitHub requires giving Taskcluster very broad access

[asajeffrey]

Running .mach creds asks for a lot of permissions:

My reaction was "heck no" and backing out.

[SimonSapin]

I agree it would be better if this screen would let every user choose what orgs to grant access to. As far as I know we (Servo) don’t have any control over that, it’s a bug / limitation in either the "Community-TC sign-in" app (docs, source, bug tracker) or in or in GitHub itself (API docs).

The app wants to know what GitHub teams you’re a part of, in order to grant corresponding Taskcluster “scopes” (permissions).

[SimonSapin]

Apparently GitHub organizations can be configured so that org owners have some control over what "apps" have access. This is what you’re seeing with the “Grant” button next to chicago-relaxed-memory where I assume you’re an owner, and the “Request” button next to rust-lang where I assume you’re not.

When I did this I had a “Request” button next to servo, and had to ask Josh or Lars to grant the request. When you see a green check mark and no button, I think that means either that someone has already granted access to this org for this app (likely the case for mozilla), or that the org itself is not configured for this access control (maybe the case for agda, I think it’s not the default).

[asajeffrey]

Yeah, but the agda team will be annoyed with me if I grant access to taskcluster, even if they've not configured access control. This would be fine if I could manually say "don't make any changes to the agda org" but I can't.