I have a github account connected to 3 organisations with oauth app access restrictions. Additionally, this account has forked private repos from within those organisations (due to not having write access to every repo in the org, this is the best way we know to raise a PR against them).
When an oauth app (in this case, CodeSandbox) requests access to my github account, it specifies read and write access to public and private repositories. Below, all the orgs have an x and a message saying that until approved, the app cannot access private data of the orgs. This is good, as I do not want to grant access to the orgs private data
- Would the forked private repos from the org be readable for an app enabled to read private repos on my account, given that they were forked from an org with oauth app restrictions?
- If those forked repos were not on my account (say I deleted them), would there be any way for an org to be compromised by an app being given oauth access to my account, provided those orgs always have oauth app restrictions and never allow that app?