[TheSpiciestDev]

I do remember hooking up Heroku to Github for auto-deployments and thinking to myself something along the lines of, "why does Heroku need ALL of this access?"

It'd be great if Github could allow read/write permission grants on a per-repo basis. Maybe they do already!.. in which case I'd much rather have and setup that granular detail than have a token that goes across all my public/private repos...

Edit: I do see in my Github's integration page that the Heroku connection was used within the past week... but it doesn't show how exactly it was used. Until Github can provide specific details, is it safe to assume that all repos, public and private, could have been cloned?

[pineconewarrior]

> It'd be great if Github could allow read/write permission grants on a per-repo basis. Maybe they do already!

They totally do. Shopify's Github integration works this way, and it is fantastic!

[bswinnerton]

These are known as GitHub apps and were designed to address this problem. https://docs.github.com/en/developers/apps/getting-started-w...

[TheSpiciestDev]

Thanks and I'm not surprised, it's a pretty intuitive feature! So really the only thing Heroku gets from these all-inclusive tokens is something to drive their type-a-head input on their integration page, right? Totally not worth it, I'd rather use Github's prompt.