GitHub Access Token Scopes

Question

GitHub Access Token Scopes

mlclmj opened this issue 5 years ago · 6 comments

Hi 👋

Thanks so much for writing and maintaining this awesome plugin!

I wanted to open a quick issue about the access token scopes that are required for this to work, namely it seems that the token actually needs full access to private repos, instead of just access to commit statuses in order to work. Is that something that others have seen?

Thanks!

Answer 1 · 2020-01-23T15:13:17.000Z

Sorry for the delay on responding. The goal is certainly to keep the scope as small as possible, we will investigate and get back to you.

Answer 2 · 2020-01-23T21:26:10.000Z

Our expectation was that setting a scope of repo:status would be enough to call these two functions

https://github.com/google/go-github/blob/master/github/git_commits.go#L74
https://github.com/google/go-github/blob/master/github/repos_commits.go#L226

I tested and repo:status was not enough, I had to set all of repo.

Reading https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/ it seems repo:status would be plenty:

Grants read/write access to public and private repository commit statuses. This scope is only necessary to grant other users or services access to private repository commit statuses without granting access to the code.

At the very least we need to change the README to specify repo rather than repo:status, but I will keep investigating just in case.

Answer 3 · 2020-03-24T03:05:38.000Z

@jimsheldon I can confirm that the repo scope is required to access a private repository or any of its files. Unfortunately github does not provide anything more fine-grained for oauth access.

We could consider sending the user token from Drone to this extension in the payload. It would have to be opt-in since everyone might not be comfortable with the token leaving the Drone server. It doesn't solve the scope problem (Drone has the same scope) but it would be one less token to manage.

Answer 4 · 2020-10-10T18:49:39.000Z

From our discussions with github support it seems there is no way around this unfortunately.

I will close this for now.

Answer 5 · 2022-08-04T02:01:00.000Z

FWIW, the go library seems to have added a way to pass the credential to the extension: drone/drone-go@f9e4fe3

I tested this with a sample extension and the access token seems to be present:

{Access:gho_y6........... Refresh:}

Answer 6 · 2023-09-18T01:53:30.000Z

are there plans to make use of the token being passed through as mentioned by @tonglil in the comment above? Should this issue be re-opened?