I have an OAuth app thats working fine. But my customers find the repo scope to be too overreaching because it wants to read/write all of their repositories. So I converted to a GitHub app. I can now install my app per repo. However now I can’t list private repos and the top level flow starts there. Here’s my steps:
- Redirect new user to auth flow (OAuth, scope=user:email)
- Exchange code for token (OAuth)
- List repos (OAuth token)
- Redirect to app install url for selected repo (GH app)
It is obvious I cannot list private repos because scope doesn’t include repo. My question is how to do this right so that I can list private repos in step #3?