[josegonzalez]

Having integrated with Github before - for providing OAuth and pulling private repositories - I will say that they've never really had fine-grained permissions. The scopes are here[1] and from what I can tell, I can't ask for private repo access to a _specific_ repository for a given OAuth token. Maybe this is different for a Github App, but just quickly browsing through their docs, I don't think this is the case either.

    - [1] https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps

[taejavu]

Any idea how Netlify does it? There I can only select from the repos I have granted access to, and if I want to add a new one I click "Configure the Netlify app on GitHub", which opens a window where I can choose which repos to allow access to. Always wondered how that works.

[NoahKAndrews]

They made a GitHub app, which is different from OAuth.

[vorador]

They actually give you fine-grained permissions, down to the single repo access level – but only if you build a Github app. OAuth app don't offer that unfortunately and I assume are considered a bit "legacy".

[glenngillen]

The whole GitHub permission/scope areas has been a big issue for a lot of 3rd party developers for a very long time now: https://github.com/dear-github/dear-github/issues/113

[jrochkind1]

I wonder if these security incidents will encourage them to improve it?

[memset]

Apps let a user specify the specific repos that one can have access to. That’s what we use for our company, tasker.sh.

Furthermore, we basically only ask for the one “mandatory” permission - there are scores of perms you could request when authorizing an app - and that’s just read only access to the code.

[Serow225]

yes, the OAuth scopes are way way too coarse. Even to the point of not being able to separate readonly vs R/W.

GitHub apps are indeed noticeably better. But that doesn’t always help