Yuvi

I think of these as 'build time' changes, so we can probably make the deployer try to detect what labels are present somehow and determine what the queries should be?

So the actual permissions granted are specified by the admin when they *create* the app itself. Step 1 grants permissions to the app to act on the repos, while step...

@consideRatio oooh, great question. I *think* the developer of the app could possibly write to the repos even without user authentication :| https://github.com/yuvipanda/git-credential-helpers relies on that to work with nbgitpuller...

@consideRatio yeah, so if you *just* know the client id, you can use it only in conjugation with user credentials to get access to repos with intersection of these permissions....

No key is created here - only the (public) client ID is used.

Hmm, am not sure how that is related @cboettig! It is so funny that I now have no memory of ever participating in that thread haha :)

Ah, that sounds great! I like the `extraFiles` approach there.

Apologies for the late review, @HCharlie! I think this looks good, I made a minor change to help clarify the code a little more. Going to merge now.

I think automatic let's encrypt is a must, and unfortunately it looks like we can't use the highly available mode with Let's Encrypt. So we'll always need a mode that...

@johnsushant I'd love for this to be in z2jh, but not sure what exactly needs to happen. @GeorgianaElena is the one with most expertise, and could hopefully chime in if...