Oauth scope (permissions) during github integration are excessive #2059
Description
I am testing github integration for several Autolab courses. Autolab is latest -- v2.12.0.
Docs claim a minimal set of permissions:
Git Submission works by having students performing OAuth with your Github
application in order to be granted access to access their private repositories.
Only the minimum set of permissions to achieve this is requested.
https://docs.autolabproject.com/features/git-submission/
But when I attempt to connect my git account with Oauth I am presented with an authorization request which looks like:
Repositories
Public and private
This application will be able to read and write all public and private repository data. This
includes the following:
Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys
Collaboration invites
Note: In addition to repository related resources, the repo scope also grants access to
manage organization attributes and organization-owned resources including projects,
invitations, team memberships and webhooks. This scope also grants the ability to
manage projects owned by users.
Is this the intended "minimum set of permissions" to pull the tgz -- Read/Write/Manage looks like administrator scope at my organization level, *.*
I tested with a newly created non associated GitHub account just in case there was weirdness with the Oauth app and requesting user being in the same organization. Same result.
What permissions should this be requesting? Is there some flag or configuration I need to change to achieve a minimal permission request? Is there something I need to change about the GitHub app itself?