Currently to scan a GitHub organization, we need write access to the organization:
|
* "admin:org", which when checked implies both "read:org" and "write:org". |
|
This application does not modify the organization, but some organization-wide |
|
settings, such as the default repository permission, can only be read with |
|
the full "admin:org" permission, and not with "read:org". |
Unfortunately the GitHub API works this way, so to check the default repository permissions, we need admin:org on the token. However, if we have a token that doesn’t have admin:org, we could handle that gracefully and just not verify the organization-wide settings, and still verify everything else.
I would feel much more comfortable running this on an automated schedule with an access token that only grants read-only access.
Currently to scan a GitHub organization, we need write access to the organization:
github-access-manager/main.py
Lines 25 to 28 in 2d7e982
Unfortunately the GitHub API works this way, so to check the default repository permissions, we need
admin:orgon the token. However, if we have a token that doesn’t haveadmin:org, we could handle that gracefully and just not verify the organization-wide settings, and still verify everything else.I would feel much more comfortable running this on an automated schedule with an access token that only grants read-only access.