Access token in private repo

[soniadarsh]

Hello yahnis,

Is it necessary to provide access token key if i am creating private repo?

//Optional: If you're using a private repository, specify the access token like this: $myUpdateChecker->setAuthentication('your-token-here');

1. If i create private repo and if i not provide this --> $myUpdateChecker->setAuthentication('your-token-here'); will i get update for my plugin.

2. If i create private repo and if i provide this --> $myUpdateChecker->setAuthentication('your-token-here'); will i get update for my plugin, also is there a risk that by using access token in plugin user can breach into my other private repository of same account.

[jakeparis]

If you don't provide an access token associated with an account which has access to the private repo, it will not be able to connect to check for updates.

The token has whatever permission you give to it to interact with the API. If a smart user gets that token, they can use it like a password to do anything within your repo (change files, delete), that the token has ability to do.

There is a workaround suggested here: https://github.com/YahnisElsts/plugin-update-checker/issues/258#issuecomment-533964233

[YahnisElsts]

As far as I know, @jakeparis is correct. I don't have much to add to that.

[davidperezgar]

Which permissions do we need? read repositories? just that?

[YahnisElsts]

If it's a private repository, it would need the general repo permission. I don't think GitHub currently has any other permission/scope that you could use to give a token access to private repositories.