cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon semantic-release

Reduce GitHub oauth scope

Open tlvince opened this issue 10 years ago • 1 comments

When using a public GitHub repo, a token with the following scopes is created:

read:org, repo, repo:status, repo_deployment, user:email, write:repo_hook

Are all these necessary? In ye olde times (semantic-release v3 manual set up), it was sufficient to create tokens only with the public_repo scope (or repo for private repos).

tlvince avatar Jul 31 '15 15:07 tlvince

Quick update on this: I had to revert https://github.com/semantic-release/cli/commit/7631d40ec10d8c7619a97000cb04f8ad32390d17, because as @christophwitzko raised the scope is currently required to enable Travis with a sufficiently scoped GitHub token.

A solution for this would be to create a second, separate GitHub token only when Travis needs to be enabled. Even if we cache the GitHub credentials for this in memory, we'd need the 2FA token twice, though.

boennemann avatar Aug 04 '15 12:08 boennemann