Please confirm you have the access/permissions you expect to have

[banesullivan]

@pyvista/maintainers and @pyvista/developers, please help verify the org migration landed cleanly.

PyVista has surpassed 1M downloads/month and is now a load-bearing dependency for scientific workflows at a lot of organizations. The blast radius of an org-level mistake is much bigger than it used to be. A compromised maintainer token or a misplaced repo grant could push bad code into a lot of workflows fast. This migration is an effort to tighten up our security posture in light of all the recent supply chain attacks.

We migrated PyVista's GitHub org management to Infrastructure as Code here. Everything now lives in this repo as declarative YAML: org members, teams, repo access, and security policies. Every change flows through a PR with a dry-run diff before it touches live org state. The README has the full picture.

Since the migration removed 10+ inactive members and pruned outside collaborators, there's a real chance someone's access slipped unintentionally. Please work through the checklist below and comment with anything that looks wrong.

Checklist

• Read the README and understand how team structure and access work now.
• Checked org.yaml and confirmed I'm in the team(s) I expect.
• I can clone, push a branch, and open a PR on the repos I actively work on.
• If I'm in maintainers, I can merge PRs where my approval is required.
• I accepted any GitHub org invite I received.
• 2FA is enabled on my GitHub account (now required org-wide).
• I don't see any repo I expected access to that is now read-only or missing.
• I don't see any repo I expected to be private where I now have unexpected access.
• I'm not listed as an outside collaborator on any pyvista repo (check the repo's Settings → Collaborators if unsure; should have been pruned).
• The admin repo's PR flow looks sane: dry-run runs on my PRs, CODEOWNERS review is required before merge.

If something is off

• Missing access you need: open a PR moving your handle into the right team in org.yaml, or comment here and I'll do it.
• Access you have that you shouldn't: comment here or PR the fix.
• Team layout feels wrong: open a new issue. The structure is easy to change and we likely want to move away from our current wide-reaching team structure (currently, developers get write access to ALL repositories in the org... probably not the best situation)
• Security concern: email support@pyvista.org or raise on the Slack as a Direct Message. Don't post it on this issue.

Thanks for bearing with the churn!

[user27182]

I can no longer push changes from remote. I was previously using a personal access token (PAT), it seems this is no longer allowed:

% git push
remote: Personal access tokens (classic) are forbidden from accessing this repository.

I tried using the newer-style PAT, but it seems I can only create one with read-only access... ? Is it correct that PAT is no longer allowed? Is using SSH required instead?

Setting up remote access has always been a big pain for me in the past. It's likely I don't understand how this is all supposed to work. Any tips?

[banesullivan]

Sorry abut this interuption, @user27182!

You're not missing anything, yes, classic PATs are blocked org-wide now. Long-lived write tokens are the highest-risk credential for supply-chain attacks, so we turned them off as part of the migration. Fine-grained PATs technically work, but for any write access to a pyvista repo an org owner has to approve the token per-request, and until that happens GitHub shows it as read-only which I think is the "read-only" behavior you hit. It's workable but not something I'd recommend for day-to-day work.

The simple fix is SSH. One-time setup, then you never think about auth again. Two ways to do the same thing

Easiest: use the gh CLI

The GitHub CLI can generate the key, upload it to your account, and wire up git in one shot:

brew install gh        # https://cli.github.com for other platforms
gh auth login

At the prompts pick: GitHub.com → SSH → yes, generate a new SSH key → authenticate via browser.

You will need to still run git remote set-url on repos you already cloned over HTTPS (see note at end as same for both)

Manual

1. Generate a key:

   ssh-keygen -t ed25519 -C "<your-user-id+name@noreply.github.com>"

2. Copy the public key to your clipboard:

   pbcopy < ~/.ssh/id_ed25519.pub     # macOS
   # or: cat ~/.ssh/id_ed25519.pub    # Linux, then copy the output

3. Paste it into https://github.com/settings/ssh/new (any title works ("laptop" is fine))
4. Check that all works:

   ssh -T git@github.com

   Expect: Hi <your-handle>! You've successfully authenticated...

Update your remote URL

Point your existing clones at the SSH URL instead of HTTPS:

 git remote set-url origin git@github.com:pyvista/<repo>.git

If either path blows up, I'm happy to help sort it out with you or if you don't want to follow up on this public facing issue you can email me: bane at pyvista dot org

[user27182]

Thanks for the tips, will try SSH and report back if I run into any problems.