GP, and I agree, wants tokens to be scoped to repos, not to activities.
Your link describes how you can limit the things you can do with a token. But GitHub doesn’t allow limiting where you can do those things.
It’s annoying and I wish they would fix this. If you work on lots of repos across lots of orgs, this is a big vulnerability. I get the heebee-jeebies whenever I have to grant permission on something because if I make a mistake it could hose lots of things.
Your link describes how you can limit the things you can do with a token. But GitHub doesn’t allow limiting where you can do those things.
It’s annoying and I wish they would fix this. If you work on lots of repos across lots of orgs, this is a big vulnerability. I get the heebee-jeebies whenever I have to grant permission on something because if I make a mistake it could hose lots of things.