Elaborate on Github Permissions about bonsai HOT 8 CLOSED

Adding another screenshot of the permissions we request:

from bonsai.

The permissions need to be set on the account authorizing the query to the Github endpoint.

https://developer.github.com/apps/managing-github-apps/editing-a-github-app-s-permissions/

from bonsai.

We (Sensu Inc) need to update the permission as part of the app config.

from bonsai.

The app is an Oauth app, not registered as Github app.

from bonsai.

I just saw the email announcing this to the public, however the requested permissions are still the same. Does it truly need that level of access to my repos? I am still hesitant to share anything due to this.

from bonsai.

Any updates on this? It's the one thing keeping me from sharing assets at the moment.

from bonsai.

@nixwiz - I've looked into this further, and apparently Bonsai is requesting the minimum level of permissions possible via Github's OAuth Scopes. Bonsai requires:

• Ability to read repository information, specifically releases, tags, and release assets.
• Ability to create webhooks on a repository.
• Ability to read contributors on a repository.
• Ability to "star" a repository
• Ability to access basic user details, including email addresses.

Unfortunately, Github's permission system is not very granular. In order to obtain basic repository details, as well as the ability to star a repository, we have to request the "public_repo" scope to get access to release info, contributors, and the ability to star a repository. The "public_repo" scope though, contains read and write access to many other aspects of the repositories that Bonsai does not use. See Github's docs of available scopes here: https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps

In summary, Bonsai requests the following scopes:

• public_repo - necessary to read contributors, releases, release assets, and to star a repository
• user:email - allows access to user's email address(es)
• write:repo_hook - allows write acess to repository webhooks. Bonsai adds a webhook to all registered asset repositories which notifies bonsai when a new release is created. Bonsai then automatically registers that release as a new asset version.

from bonsai.

Thanks for the response @mbiang .

from bonsai.