Minimum scopes needed for personal access token

[hugovk]

When creating a personal access token for https://github.com/alex-page/github-project-automation-plus#private-repositories, what are the minimum scopes needed?

Are they different for a private repo or one you don't have admin access to?

Thanks!

[alex-page]

Thanks for opening this @hugovk. I will leave this issue open for now and add this content to the README.md file.

For an organization with private repositories you will need admin:org:

• Read and write org and team membership, read and write org projects

For private repositories you need repo:

• Grants full access to private and public repositories. That includes read/write access to code, commit statuses, repository and organization projects, invitations, collaborators, adding team memberships, and deployment statuses for public and private repositories and organizations. Also grants ability to manage user projects.

[hugovk]

Thank you, is the first bullet for orgs with public repos where you don't have admin access?

[alex-page]

Oh you might have trouble connecting issues from public repos without access. If you could do it I would assume the admin:org settings. Let me know though as I haven't tested it.

[hugovk]

We've tried with repo and admin permissions on a public repo, but we get "bad credentials". Any ideas?

python-pillow/Pillow#4078

@aclark4life, who created the personal access token, has admin access to the repo. @radarhere and me, who have created PRs that get the error, do not have admin access.

[hugovk]

Tested with a private repo: works with just the repo scope.

[alex-page]

@hugovk is this working now or still an issue with public repos without admin access?

[hugovk]

It's still an issue for public repos without admin access. (Working for private repos.)

[alex-page]

Ok I will try and have a look into this. Thank you @hugovk.

[hugovk]

Thanks, let me know if I help out by creating PRs on a test repo.

[alex-page]

@hugovk can you try again with v0.1.0. I just merged a pull request that changes what projects it searches. If this doesn't work can you paste your error message here?

[hugovk]

Here's a PR with v0.1.0: python-pillow/Pillow#4085

The log:

Run alex-page/github-project-automation-plus@v0.1.0
  with:
    project: Pillow
    column: New Issues
 ##[error]HttpError: Bad credentials
##[error]Bad credentials
##[error]Node run failed with exit code 1

https://github.com/python-pillow/Pillow/pull/4085/checks?check_run_id=233656551

[aclark4life]

@hugovk @alex-page I noticed the GH_PAT in my personal tokens hadn't been used yet, so I removed it. Let me know if I should recreate … thanks for working on this.

[hugovk]

Aha, so repo secrets are not available to forks at all, that explains why it hadn't been used.

See, for example:

• https://github.community/t5/GitHub-Actions/optional-read-write-permission-for-forked-repos/m-p/32624/highlight/true#M1203

[alex-page]

Oh that is frustrating. I assume that is a limitation of GitHub. Is there anything I can do with this project to help?

[hugovk]

Yeah, looks like a GitHub limitation. From another Action project: maxheld83/ghactions#262 (comment)

I guess the best this project can do is mention it's not currently possible. Hopefully GH will make it possible in the future!

Thanks for looking into this!