Investigate more secure option instead of Personal access token

[krystof-k]

Personal access token with repo scope has full access to all user's repositories, which may be a security risk (as it is possible to extract the token from the CI system variable).

[krystof-k]

Message from GitHub support:

Hey Kryštof,

Thanks for getting in touch and asking about this!

There isn't an OAuth scope that would allow you either read, write, or read+write access for a single repository.

We understand that you don't want to grant applications permissions they don't need, and these applications probably don't even want to ask you for these permissions. In some cases, this might even prevent you from using an application.

It's a very important topic and we're glad you're bringing it up with us. Providing more granular OAuth scopes is already the biggest blip on the API team's radar and it's something we'd love to do. However, we can't make promises about if and when the scopes you wished for might be available -- the API team is rolling out additional scopes as they are completed.

The best way to keep track of changes is to follow the API blog, and ping us if you have any questions about the available scopes:

https://developer.github.com/changes/

Improving this situation about scopes is something the team has been working on. You might want to check out the recently-announced GitHub Apps (formerly Integrations) feature:

https://developer.github.com/apps/

GitHub Apps allow per-repository access and more finely-grained scopes, including granular permissions for pull requests (none, read, or read+write):

https://developer.github.com/v3/apps/permissions/#permission-on-pull-requests

If you decide to take a look and give it a try -- please post any questions and feedback on the forum (that's where the team is collecting feedback):

https://github.community/t5/GitHub-API-Development-and/bd-p/api

Have a great rest of your day!

All the best,
Francis