Even after reading the docs on how git gateway interacts with github and requests permissions (Git Gateway | Netlify Docs) , it is fearsome to go ahead and click on “Authorize Netlify”.
The Decap CMS page did not alert me that more privileges would be required from my Github account.
Neither does the Netlify page.
And the Ask Netlify bot did answer that some permissions were required to read and write the repo (obviously).
But upon clicking on the ‘Enable Git Gateway’ button in my site configuration, I am being requested basically to access to all my repos at Github (not just the one for this site). Screenshot attached.
Or maybe I am reading this with too much paranoia?
Repositories Public and Private?
it is not apparent that this is scoped to a single repo
Read and write all public and private repository data
again maybe I’m being too paranoid
But the final note puts me in the Danger zone
“In addition to repository related resources” the scope grants access to manage organization attributes? organization-owned resources? projects?
So here it is really not apparent that permissions are requested in the scope of a single repository
The wording and phrasing is managed by GitHub, not Netlify. We have no control over that. As far as the permissions are concerned, we only have option from the ones provided by GitHub: Scopes for OAuth apps - GitHub Docs. In some cases, selecting a scope also grants some related permissions - again all controlled by GitHub. If after reading those scopes documentation, you find a scope that Netlify might be asking for no reason, feel free to let us know.
my question, simplified, would be: if I ‘Authorize Netlify’ would all permissions apply only to the single repo / site? (YES I have only given netlify access to a single, restricted github repo)
Nelify GitHub App and Netlify Auth GitHub App are 2 different apps. Assuming you’re configuring for the latter, it should be possible.
But, this is a question GitHub support can more definitely answer, as I can’t speak for how GitHub will control access to repos with different settings. For example, the app might request permission to all repos, but if a user has configured the app to only be able to access a single repo, ideally GitHub should honour that over the app’s request and I’d think that it does that. But if you’re too concerned, you can ask them to confirm.
I have just checked and the single-repo restricted access is for the Netlify Github App.
The Netlify Auth Github App appears under [Authorized OAuth Apps] and does not seem to be restricted to a single repo. It seems to have access to all my private repositories. Will contact Github for clarification. Thanks again for the prompt responses.