undefined | Better HN

0 pointsPartiallyTyped5y ago0 comments

Different access tokens have different permissions, you can't just do whatever you want.

0 comments

Yeah, but at least with PATs (not sure about other token types), you can't scope them to a particular repo, so whenever you need to allow something to even see a private repo or write to a public repo, the token you supply to allow that can do that for all repos and that alone is potentially really destructive. I am not sure if there is a good reason for why PATs can't be scoped to a repository, because if they were allowed to be, it would do a lot for security I think.

RyJones5y ago

Worse: you can’t even scope it to an org, and some integration points are only available to org owners!

GitHub is terrible.

seg_lol5y ago

That explains why at a place I worked we had multiple github orgs for different subteams, and/or they were really cheap ... yeah confused now.

1 more reply

greggman35y ago

Most integrations just ask for blanket all permissions. They do this because it means they can give you a list of repos and let you choose which ones to integrate their service into with no work on your part except "click yes to give us permission to do everything for you and ... we'll do everything for you"

j / k navigate · click thread line to collapse