I'd like to use the GitHub API to read comments, issues and so on for a given user with the GitHub Events API.
I've already accomplished that with OAuth authentication using the repo scope. That's a big overkill since I just want to read events and this scope grants almost everything. The API doc doesn't specify anything, and I can't find a more limited scope.
I've been testing with different personal access token scopes but only repo makes requests return private events.
You will need to use the scope repo if you want to retrieve events originating from private repositories.
At this point this is the only scope for the job.
Related
I'm reading the documentation on Scopes for OAuth Apps and it's not clear to me if it's possible to grant read access to private repos, without providing write access.
The repo scope grants full access to read and write everything. This works but it's more permissive than what we would like.
The scope public_repo is only for public repos as its name suggests, and I'm not sure if read:repo_hook is what I need or not.
What's the best suited scope for my use case of reading pull request by passing a commit hash as a parameter to Octokit?
For OAuth apps, the most granular scope is repo or public_repo, depending on whether you need access to all repositories or only public ones.
If you want more granular permissions, you need to use GitHub Apps, which also have OAuth featues (GitHub calls these user-to-server tokens):
https://docs.github.com/en/developers/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps.
GitHub Apps need to be installed by users on repositories in order to grant access, and they have a pull_request read or write permission, depending on what you need.
I'm building a CLI which triggers an Action (using workflow_dispatch) in my repository. I'm using Github API to perform this task. Taken from the docs:
You must authenticate using an access token with the repo scope to use this endpoint.
I've generated a PAT with repo scope to authenticate myself. I want users to run this CLI. Is it safe to share this PAT (which has repo as the only scope)?
p.s. I know it is ironical to ask if "Personal"-access-token can be "shared". But I don't see any problem it can cause with its limited scope.
I don't think it is a good idea. Repo scope is not limited to only one repo.
If you want to trigger actions by external users, your best bet would probably be to create a workflow running on PR or Issue events.
Allow your users to create issues
Monitor keywords or label on the issue
Trigger your action.
We've set up a Github app so that it automatically forks a repository for another individual Github user using the Github API. Now we're running into a problem that not everyone wants to give us full read access to all of their private repositories since sometimes they contain sensitive data.
Is there a way to only get read/write permission to a single repository and not the individual's entire account?
Unfortunately, this is not available yet. This feature is still under development as you can see in the Gihub Apps roadmap (and note that I am talking about Github Apps, not OAuth Github Apps). I don't know if this will ever be possible in OAuth Apps but it seems that it might in Github Apps.
There is already a discussion about this at the dear github repository. You should check for news there.
Is there a way to only get read/write permission to a single repository and not the individual's entire account?
Not that I know of: it is easier to setup a new dedicated GitHub account where you would recreate the private repos you want to give access to.
In that new account, you can consider all the private repos can be accessed.
You would keep the really private ones (with sensitive information) in your original GitHub account.
I believe you're looking for X-OAuth-Scopes. This is a well-defined header so that you may restrict your access scope to, for example, public repositories only.
The github developer documentation here says:
... space-delimited list of scopes. If not provided, scope defaults to an empty list for users that have not authorized any scopes for the application. For users who have authorized scopes for the application, the user won't be shown the OAuth authorization page with the list of scopes. Instead, this step of the flow will automatically complete with the set of scopes the user has authorized for the application. For example, if a user has already performed the web flow twice and has authorized one token with user scope and another token with repo scope, a third web flow that does not provide a scope will receive a token with user and repo scope.
My scenario is that I would like to list the private repositories for the user, given the organizations they grant access to. The intent is to provide status API integration.
I use the user:email scope as a form of identification in my app, so I am requesting that along with repo and read:org. I was trying to use repo:status instead of repo, but I couldn't seem to get the private repo listing that way.
So, my final set of scopes is:
user:email
repo
read:org
Is this the minimum set of scopes required, or am I missing a more restrictive combination that would work without write access to repos?
Your scopes are almost correct. You don't need the read:org scope to list organisations if you have repo.
Somewhat annoyingly, there is no scope to grant read only access to a private repo, even though there are separate read and write scopes for public ones. You can't read private repos without also allowing writing via the repo scope.
You're also right about repo:status—this scope is meant for interacting with commit statuses without being able to see the contents of the repository, for example a CI service like Travis.
I'm working on an app that creates private Github repositories (among other things). Every once in a while, we are over quota with our private repos.
I'd like to know how many repositories we have left before making the API call that will fail.
Can that be done, using the Github API? I couldn't find anything in the documentation, but that's doesn't mean it's not possible :)
awendt, I'm not quite familiar with private quotas, but authenticated users receive a Plan object when the API returns the call to /user. This will tell you what plan you have and will tell you how many private_repos you're allowed. With that information and the information from /user which tells you how many private repos you currently have, you should be able to figure it out.
Then again, you could use github3.py and you'd have the User object, with the plan attribute and could use those two together as described above.
Disclaimer I'm github3.py's author.