Ghostly requests permissions which are not explained #10
Comments
|
Sadly, GitHub permissions are not very fine grained and does not distinguish between read and write permissions for all scopes. The permissions we need to be able to read private repository information (issues/pull requests/releases and security vulnerabilities), notifications and user information are:
Which you can read about here: https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes So if we want to be able to get notifications regarding private repositories there's really nothing we can do about this. One option would be to have a "public mode" as well which only gets notifications and similar from public repositories, in that case we would only need the |
|
@hansmbakker Actually, I think we can remove the |
|
@hansmbakker I've added an option to only watch public repositories (which only requires the
|
|
Nice! I understand this might be a limitation of GitHub, but it was just a bit surprising to see GitHub ask for write permissions to code without a warning upfront. Would the |
|
@hansmbakker Yes, just asking for If we want to be able to get information about work items (issues/prs etc) that are private, we need the |
|
So public repositories only = |
|
@hansmbakker There is a new version released (0.1.24000.0) which will add an option to only request the |
Ghostly requests a lot of permissions during authorization.
Especially the write access to all public and private repositories is not clear if it is necessary and why it is necessary - since Ghostly is about fetching notifications.
Why does Ghostly need to push code or need to read deploy keys?
Please keep the required permissions minimal.
The text was updated successfully, but these errors were encountered: