We want to request a feature enabling us to attach a list of repositories to the
public_repo OAuth scope. Since we don’t know the username before the user logs in, we would need to specify, for instance,
orgname/reponame,reponame, where the latter one would imply the repository is under the user’s own namespace.
To explain our particular use case - we run a CTF competition that uses a Git repository as a public ledger of submissions (source code at https://github.com/pwn2winctf/NIZKCTF-js). Currently, users log in using the
public_repo OAuth scope. Despite the application being open source, users do not have time to audit its source code and complain about having to give write access to all their public repositories.
This issue would be solved if the OAuth scopes were more granular. In our case, the application would need the following permissions:
- Fork a specific repository (e.g.,
pwn2winctf/2020submissions) to the user’s account.
- Write access to a specific public repository (
- Making pull requests from a specific repository (
username/2020submissions) to its upstream.
We kindly ask you to consider implementing this feature request and hope to contribute back by engaging the information security community in using GitHub even more.