[Charlieholtz]

Hi! Right now the app uses GitHub's OAuth sign in (https://docs.github.com/en/apps/oauth-apps/building-oauth-ap...) which unfortunately doesn't allow for fine-grained permissions.

It will only have access to organization code if you explicitly grant it. We're working on switching our sign-in to a GitHub App so we can make the permissions fine-grained.

[itsalotoffun]

Totally understand, but you're asking for the keys for the kingdom, without any data disclosure or privacy policy. Even if you switch to fine-grain permissions, the lack of any "and here are our commitments to handling or accessing your data" is (and should be) a show-stopper for anyone trying this out.

In case people aren't reading, here's the c+v of what Conductor gets access to currently:

--

This application will be able to read and write all public and private repository data. This includes the following:

    Code
    Issues
    Pull requests
    Wikis
    *Settings*
    *Webhooks and services*
    *Deploy keys*
    *Collaboration invites*

Note: In addition to repository related resources, the repo scope also grants access to manage organization attributes and organization-owned resources including projects, invitations, team memberships and webhooks. This scope also grants the ability to manage projects owned by users.

[Charlieholtz]

Now fixed in the latest version. You can now give Conductor fine-grained GitHub repository access.

Or, skip the integration and use your local GitHub CLI auth.

[itsalotoffun]

That's awesome, thanks Charlie. Any word on a privacy policy?

[joshualyon]

I'd love to see some commentary regarding privacy of data too. Regardless of the GitHub integration approach, it's still concerning that the app potentially has access to sensitive data and without it being open source, it's hard to trust what it's doing with that data without an explicit policy or statement.