Azure-devops-docs: What are the GitHub scopes needed when creating a personal access token?
I'm trying to follow the principle of least privilege however I'm unclear which are the minimal set of scopes I should grant the personal access token I'm creating for the VSTS integration.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 75a10513-2af9-8e16-61a4-25d4b09f6d32
- Version Independent ID: 788acaa2-d5a1-1d0d-18f4-e94a4e2fe2c9
- Content: Build your GitHub repository
- Content Source: docs/pipelines/build/ci-build-github.md
- Service: vsts
- Product: devops
- GitHub Login: @mlearned
- Microsoft Alias: mlearned
gsacavdm
All 8 comments
@gsacavdm see here for more detailed explanation of each of the scopes https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/
check out repo and public repo .. right now there is not like a "read-only" for code only type scope
mlearned
on 16 Jul 2018
Thanks @mlearned , to confirm, you're saying that the only permission I need is repo_deployment / public repo, correct?
Is there are reason this isn't listed in this VSTS doc?
gsacavdm
on 17 Jul 2018
Ping @mlearned :)
gsacavdm
on 25 Aug 2018
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 28 Feb 2019
Ping @mlearned
gsacavdm
on 28 Feb 2019
ping @mlearned
mikebollanddp
on 16 Jul 2019
there is a better article outlining the permissions details here: https://docs.microsoft.com/en-us/azure/devops/pipelines/repos/github?view=azure-devops&tabs=yaml
Scraped from the PAT section.
Repository permissions for Personal access token (PAT) authentication
To create a pipeline for your repository with continuous integration and pull request triggers, you must have the required GitHub permissions configured. Otherwise, the repository will not appear in the repository list while creating a pipeline. Depending on the authentication type and ownership of the repository, ensure that the following access is configured.
If the repo is in your personal GitHub account
The PAT must have the required access scopes under Personal access tokens: repo, admin:repo_hook, read:user, and user:email.
If the repo is in someone else's personal GitHub account
The PAT must have the required access scopes under Personal access tokens: repo, admin:repo_hook, read:user, and user:email.
You must be added as a collaborator in the repository's settings under "Collaborators". Accept the invitation to be a collaborator using the link that is emailed to you.
If the repo is in a GitHub organization that you own
The PAT must have the required access scopes under Personal access tokens: repo, admin:repo_hook, read:user, and user:email.
You must be added as a collaborator, or your team must be added, in the repository's settings under "Collaborators and teams".
If the repo is in a GitHub organization that someone else owns
The PAT must have the required access scopes under Personal access tokens: repo, admin:repo_hook, read:user, and user:email.
You must be added as a collaborator, or your team must be added, in the repository's settings under "Collaborators and teams". Accept the invitation to be a collaborator using the link that is emailed to you.
mlearned
on 16 Jul 2019
This issue hasn't been updated in more than 180 days, so we've closed it. If you feel the issue is still relevant and needs fixed, please reopen it and we'll take another look. We appreciate your feedback and apologize for any inconvenience.
cxwtool
on 25 Nov 2020
Related issues
o-o00o-o
·
3Comments
cijujoseph
·
3Comments
sevaa
·
3Comments
anlatsko
·
3Comments
letmaik
·
3Comments
Most helpful comment
there is a better article outlining the permissions details here: https://docs.microsoft.com/en-us/azure/devops/pipelines/repos/github?view=azure-devops&tabs=yaml
Scraped from the PAT section.
Repository permissions for Personal access token (PAT) authentication
To create a pipeline for your repository with continuous integration and pull request triggers, you must have the required GitHub permissions configured. Otherwise, the repository will not appear in the repository list while creating a pipeline. Depending on the authentication type and ownership of the repository, ensure that the following access is configured.
If the repo is in your personal GitHub account
The PAT must have the required access scopes under Personal access tokens: repo, admin:repo_hook, read:user, and user:email.
If the repo is in someone else's personal GitHub account
The PAT must have the required access scopes under Personal access tokens: repo, admin:repo_hook, read:user, and user:email.
You must be added as a collaborator in the repository's settings under "Collaborators". Accept the invitation to be a collaborator using the link that is emailed to you.
If the repo is in a GitHub organization that you own
The PAT must have the required access scopes under Personal access tokens: repo, admin:repo_hook, read:user, and user:email.
You must be added as a collaborator, or your team must be added, in the repository's settings under "Collaborators and teams".
If the repo is in a GitHub organization that someone else owns
The PAT must have the required access scopes under Personal access tokens: repo, admin:repo_hook, read:user, and user:email.
You must be added as a collaborator, or your team must be added, in the repository's settings under "Collaborators and teams". Accept the invitation to be a collaborator using the link that is emailed to you.