This documentation states that the following scopes are required of a personal access token in order to match the behavior of the GraphQL Explorer:
user public_repo repo repo_deployment repo:status read:repo_hook read:org read:public_key read:gpg_key
However, the “repo” scope not only subsumes all of “public_repo”, “repo_deployment”, and “repo:status”, but also includes the additional “repo:invite” scope. This makes me wonder if the list has a bug in it. Is this correct?