Our product has the ability to retrieve data about GitHub issues linked in a commit in a specific repository, as well as create comments on these issues with a link to the related product page, as well as test the connection to the repos endpoint for the organization and repository. It does this via the GitHub REST API. In order for this API to work, the user needs to register a personal access token. Out of the principle of “least access”, I’m wondering what the smallest permissions set is that this token can have. I assume it’s simply the repo permission, but enabling that also requires enabling repository invitations and security events scopes, so I was wondering if there is a way to restrict the scope even more.