logoalt Hacker News

_joeltoday at 1:27 PM1 replyview on HN

You give apps explicit access to repos (or the full org). If you chose full org, what do you expect?


Replies

stingraycharlestoday at 3:12 PM

Giving an app full scope to all repos in an org does not automatically imply that it would leak information from private repo A in comments on public repo B. That’s the issue being discussed here.

Like I said earlier, I can see both points of view, and I think the answer is more granular scoped permissions (eg on a per-workflow basis). Right now the permissions are crude.