Justify GitHub Auth permission to read/write my repositories about pullup HOT 6 CLOSED

I'm actually a little surprised by the silence here. I know Pullup has gotten slow, but I didn't realize it was this bad...

Anyways, I don't actually know about these permissions myself. I've been logged into the site for months and I don't think I've been pestered about it at all. I just checked the permissions for my account and it doesn't appear to have changed.

My first PR was accepted just a few weeks after yours, so I'm not sure what could have changed between when you signed up and when I did.

from pullup.

After looking through the commits between yours and mine, I found this commit that might explain why it needs the extra permissions. Basically, Pullup uses your user to pull data about Pullup from GitHub if you're logged in.

This may have been changed later, but it might explain the permissions.

EDIT: I also found this commit which allows users to comment on GitHub issues through the website. In retrospect, I probably should have remembered this one, since I've used it before. I don't know much about GitHub's app permissions, but I do agree that, even with this, it seems like we might have made the requested permissions a bit more than what we actually need.

from pullup.

@josephwegner @megamattron any idea why we're requiring these permissions?

from pullup.

I'm fairly certain that when Pulluo was originally written, Github only had
one permissions level.

That is no longer the case, so we can probably lighten the requirements.

from pullup.

That would explain it. Looks like we're requesting the public_repo scope here, which requires:

Grants read/write access to code, commit statuses, collaborators, and deployment statuses for public repositories and organizations. Also required for starring public repositories.

from pullup.

We only need user:email. I've removed public_repo from the scopes in #384.

from pullup.