What, you don't trust me with ALL YOUR REPOS? Haha. I know, I mentioned this permissions thing in the blog post. Building it for myself, that scope is the only way I could read contributor stats for my company's private repos. Definitely don't need 90% of the other things, write access especially. Optional private repository access seems like a good solution.
That's what made me not do it. To be fair, I wrote a Github app once where I wanted read access to public and private repos, and I couldn't find anything in the Github API to give me specifically that. I had to request read+write for public+private, which is horribly permissive and gave me access to a bunch of stuff my app didn't need.
Yeah, I wish there were more fine-grained controls for permissions, i.e. just let me access meta-data like stats for repos (because that's all this app really needs).
It doesn't really need write access, but in order for it to fetch the contributor stats, I had to add the "repo" scope to the permissions. Unfortunately, I couldn't see any other way around that. See: https://developer.github.com/v3/oauth/#scopes
This kind of functionality would be cool if github adopted it in-house. Having the read/write access to all public/private repos is a bar that's a bit too high.
