Why does Netlify require extremely broad Github permissions, and how can I disable these while retaining functionality? I don’t want netlify to have write functionality to my repositories.
The thing is, I otherwise like Netlify, but I consider this default behavior to be slightly evil.
hi there nuno,
happy to speak on this! first, can you tell me whether this is just related to using Netlify with CI from github, or are you also using Netlify CMS or something similar?
Reason i ask is that the things Netlify needs to do on your behalf is a bit different depending on implementation.
I’m using CI from Github, i.e., I am pushing stuff to Github, Netlify is detecting that there is new content, and building my site anew.
Gotcha. Glad to hear you like netlify!
So, first things first - feel free to only pick those specific repo(s) that Netlify is deploying as authorized repos, meaning, you can give Netlify global permissions to be aware of all of your GH repos, which is obviously useful for those folks who have many different sites (and some people have hundreds), but maybe not necessary for someone who only has 1 site that they regularly deploy. that obviously cuts down on access to your github account overall.
secondly, Netlify doesn’t need write access to the code itself , just the things in that screenshot - PRs (we write a PR status update and some other things when we generate a deploy preview) so it’s useful to consider things on a slightly more granular level. In your screenshot you have those areas where we do need write access, but it is actually not as broad as it might seem at first. Unless i’m mistaken, we don’t want to actually write to the actual codebase, for example.
Thirdly - you can absolutely use Netlify without the CI, for example, you can deploy via drag n drop. You don’t even need github for that, nor a netlify account So that is a super lightweight option.
or use the CLI to manually push builds. I do believe we need some permissions for that too, but we can get some more specific info for you on that if you like.
overall, there is zero intention to be in any way indiscriminate with our access!
Maybe this answers your questions, if not, i can get someone else’s on this who can speak to this in more detail if you like.