dawg

In particular the `.local/bin` part is interesting as it would make binaries usable without invoking dub. Similarly `.local/lib` could maybe host shared libraries. Moving any caches is trivial. Anyone up...

The permissions are also a bit surprising. While I can't query defaultBranchRef via GraphQL (`GraphQL: Resource not accessible by integration (repository.defaultBranchRef)`, it works fine by [REST API](https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#get-a-repository) (using https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-metadata).

Would it make sense to start with a simpler approach and only update the SAML validating certificates from the metadata? Should mostly reassemble the JWKS URL support for [OpenID Connect](https://www.keycloak.org/docs/latest/server_admin/#_identity_broker_oidc).

That is indeed a bit surprising since group attributes are included in the user attribute mapper. https://github.com/keycloak/keycloak/blob/1a15cb2803c8ce7dfa01a3d99227e86e671e2e5f/services/src/main/java/org/keycloak/protocol/oidc/mappers/UserAttributeMapper.java#L101 https://github.com/keycloak/keycloak/blob/1a15cb2803c8ce7dfa01a3d99227e86e671e2e5f/server-spi-private/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java#L621-L623

Updated @vszakats

I'll have a look at this when I find some time.

OK, I played around a little with the github API. Webhooks are a nice thing, but we'd need the repo owner's OAuth access for the write:repo_hook [scope](http://developer.github.com/v3/oauth/#scopes) to install them....

We could have a pseudo user, that watches all those repos. But from what I read you can't get notifications about commits. Watching only notifies about pull requests and comments.