Read-Only OAuth Scope on GitHub, Please?

[winston]

We love @GitHub. Our processes all revolve around GitHub.

Naturally by extension, we love the GitHub API, because it allows us to do creative things with GitHub.

So far, we have built a few apps that rely heavily on GitHub's API:

• deppbot
  • A service that does automated dependency updates for Ruby apps, issued as Pull Requests
• Dasherize
  • A simple dashboard for CI and GitHub stats
• GitHub Gem Stats
  • A toy app for "Which RubyGems does X use?" and "Which GitHub repo uses Y gem?"

Let's talk about permissions next.

For both deppbot and Dasherize, we require access to both public and private repos.

Looking at GitHub's OAuth scopes, we'll need to use the repo scope.

Hmm.. But wait a minute.. The repo scope grants read AND write access to basically everything! Getting read access is probably a must for all apps, but do we need write on everything?

Due to the nature of deppbot, we'll need write permission on public and private repos, so that it can issue Pull Requests when it finishes the dependency update for a project and perform other actions.

However, all Dasherize does is read from public or private repos, and it's not doing any write at all. You can even take a look at the source code to verify that.

So isn't it intrusive to require write permission too? Definitely.

As a user, I would like all apps to only require the lowest level of permission that it needs to operate.

As a developer, I am taking on unnecessary liability when my app has permissions that it doesn't need.

Of course, we are not the first to create apps that use GitHub API, and this has been a common issue for both users and app developers for a while, for example:

• http://docs.codeclimate.com/article/258-do-i-have-to-grant-code-climate-read-write-access-to-all-of-my-github-repositories
• https://groups.google.com/forum/#!topic/travis-ci/ihZZXAw9K6M
• https://github.com/thoughtbot/hound/issues/925#issuecomment-144762814
• https://gitter.zendesk.com/hc/en-us/articles/200176672-Authenticating-with-GitHub

By design, GitHub API does not provide any Read-only OAuth scope for public and/or private repos. Once you ask for permissions to either public and/or private repos, you'll get both read and write. What can we do then if we just want Read-only access on GitHub API?

There are definitely work arounds, as mentioned in some of the links above:

Progressive Permissioning

This means that the app shall only ask for permissions when it requires it.

Let's use @houndci as an example.

When you first sign up, @houndci only asks for access to your email and public repos read/write.

Then, it provides you with the option to "Include Private Repos".

Clicking on that, you can now grant @houndci access to both public and private repos read/write.

In this way, you only grant @houndci necessary permissions when it requires it.

But this still doesn't solve the problem if my app just requires a read scope, like Dasherize..

Manual Setup

Alternatively, maybe a manual setup of collaborators might help?

Unfortunately not.

When you add a collaborator to a GitHub repo, the collaborator naturally has read and write permissions, and you can't change it.

What about Teams (for Organization repos only)? Can it grant Read-only permissions?

Yes. That might help!

You can create a special Team in the organization, grant the Team a read-only access to the repo, and now you have a Read-only scope. But in most cases, manual setup is not the best UX experience. :cry:

Recently, GitHub also added Read-only Deploy Keys, as another option to grant Read-only access to one single repo.

Many are speculating that this eventually lead to a Read-only OAuth scope. I sure hope so.

---

In summary, we really hope that @GitHub can provide developers with a Read-only OAuth scope, so that app developers don't have to explain ourselves every time we use the repo scope.

In both deppbot and Dasherize, we are conscious of our decision in asking for read write access to public and private repos because we went with the simplest solution for now to validate the ideas. Definitely, we should look into both Progressive Permissing or Manual Setup when the apps get enough traction and feedback from users.

Thank you for reading.

@winston :pencil2: Jolly Good Code

About Jolly Good Code

We specialise in Agile practices and Ruby, and we love contributing to open source. Speak to us about your next big idea, or check out our projects.

[bluta]

i would also love to have this - and am now creating a deploy user having only read access to all of our repos needed by our application. :+1:

[ayurkows]

This is the first non-doc link from google I found when searching for how to get a read only scope.

I agree this is needed, users are going to question why we are asking for write access as well especially since it's highlighted and there's no way for them to know that we are only asking for it because we have no other option.

[alexmalik]

I would definitely use this if it was a feature, my app doesn't need the write access that the current repo scope supplies, and as a developer I know I would only want to give the minimum permissions to an app if I were the user of my app.

[jnieuwhof]

Plus one on this, breaks principle of least privilege

[sgen]

It looks like this is on the horizon

[ronaldpetty]

Can anyone with experience clarify here? I am looking for read only private repo scope, and don't see something like that in roadmap or existing settings. Maybe I am misinterpreting what was stated above.

[deftio]

I have the same question. When an outside org such as Travis or BlackDuck or whatever wants access to my public repos I just want to give them read access so they can do their thing. I don't see why I would want to give them write access so how do I set that up?

[BernieSumption]

+1! I routinely start to set up integrations, then stop half way because I remember that there's no way to allow an integration read-only access to my GitHub account. Most recent was the Trello and Slack integrations.

The ability to modify code in a repo is basically the highest privilege you could grant, second perhaps only to deleting the repo. Most integrations are convenient tools for bringing GitHub data into other systems. If they need to write data it's probably only comments and PRs. These tools provide a lot of value, but given the security risk of having keys floating around that allow write access to all my repos I sadly have to ignore them all.

[udev]

Guess we're checking in on this from August 2018... Seems to be a pretty in-demand feature request. https://github.com/dear-github/dear-github/issues/113

[Bob-Thomson-zz]

+1 as has been said, least privilege - there will always be situations where granting read only access makes sense.

[jimsmith]

+1 least privilege access there are situations in corp/enterprise world when this is a must.

[peterbosalliandercom]

And again, please add this functionality, we need this for CI/CD purposes, for example argocd which deploys apps in combination with Helm charts wich depend on a values.yaml which is stored in a private repo where the config is stored. Github is not only for developers but also voor gitops configuration. We need read only scope on personal access tokens per repo.

[NateZimmer]

psst microsoft devops can do this. cmon git. Yes i'm sure you think this would be redundant with deployment keys Why its a superior offering to have tokens:

• It is far simpler to automate usage of these than a deployment key. SSH key setup is not a simple cross platform task to automate. Deployment keys needlessly add uneeded complexity and headache to cross platform deployment.
  I beg you git, please consider repo specific read-only tokens

[willemdh]

Read-only access oauth scope for private repositories is a much needed security feature that should also be available for pro github users..

[omairvaiyani]

I thought scrolling this far down would reveal "here you go"! I thought wrong.

[tacticz]

It is clear a LOT of (pro) GitHub users would definitely need read-only access OAuth scope on their private repos. I'm really surprised that, more than 3 years after the initial post, GitHub still hasn't react on that matter !

[deftio]

Read Access to repos is a necessary feature.

This is true regardless of account level. The reason why is lets say a widely used 3rd party gets hacked (such as a CI provider or doc service). Then EVERY repo they have access to (means write access) could get corrupted. The scale of this kind of mayhem, even if its possibly undo-able by the individual repo owners, is poor security planning.

[anupamaj83]

Read-only access oauth scope for private repositories is a much needed security feature.

[d-rams]

Seriously! Why is this not implemented?

[datamgmt]

+1 for multiple reasons and to meet many requirements

[choonkeat]

Can consolidate eyeballs at https://github.com/dear-github/dear-github/issues/113

[rmccullagh]

Yes. Please implement read only access to repository names. For example, my application only needs to show the names of the private and public repositories. I don't need anything else. Please add this :)

[jsdw]

I recently needed to use the git API programatically to list my repos, and was pretty surprised to find that I could not create a token with readonly access to do this. The distinction between read and write feels like a pretty fundamental point at which to divide permissions. Would love to see this added!

[mattccrampton]

why is this still an issue? Do I really need to create a dummy github user to add as a read-only collaborator because this feature doesn't exist???

[AlexCatch]

Genuinely can't believe it's 2020 and this still hasn't been implemented.

[deftio]

I can't wait until some 3rd party app that has been given all these permissions by users runs amok and damages literally 1000s of projects because github was didn't take security at scale seriously.

[Nakilon]

github was didn't take security at scale seriously

Because in reality no one really cares. Who are you guys? Just a dozen of people from all the world.

For example, after our server was compromised and used as a botnet, I've tracked down how it was hacked, sent CTO all clues and articles, reported about how I'll update the software and improve the security but the server was compromised anyway and it had private Github key (with access to all our repositories that even have passwords in them) stored -- I asked to regenerate the key and he said "later". I reminded him many times and after half a year he still hasn't done that. People really don't give a damn about security. Stop making fantasies, deal with it and stop worrying about bad Github security practices because your CTO won't give a damn anyway. Move on, heh. Otherwise, you'll realise that the only thing your bosses care is what others think about them and it will be too late. At the end they decided to solve the problems by firing me -- now no one in company knows or cares about security or process problems and surely think "wow, after he left the overall mood became so much better, it's so cool and fun now".

So stop worrying about security. It is not important. It's a software industry. No one gives a damn.

[woodyhayday]

+1 still want this :)

[kamni]

repo: Grants full access to private and public repositories. That includes read/write access to code, commit statuses, repository and organization projects, invitations, collaborators, adding team memberships, deployment statuses, and repository webhooks for public and private repositories and organizations. Also grants ability to manage user projects.

I'm really shocked that this isn't available in github. I can't create scripts with access tokens for my own private personal projects, without potentially compromising every organization I belong to?

Please, please, fix this problem. :pray:

[bwackwat]

I am also shocked.