Github permissions too onerous

Hi,

I wanted to try out streamlit cloud, but am unable to give such incredibly broad access. Controlling all the webhooks on a repo? Had I got past this stage, another user reports requiring to give full read and write access to the repo itself?

Are there any options for, well, not requiring this? I can edit webhooks & the repo can be public.

Cheers
Ian

1 Like

Hi @Ian_Calvert -

We are aware of this; unfortunately, it is GitHub that bundles all these permissions together. We’ve contacted them about making them more fine-grained, but we are a relatively small fish in their pond :slight_smile:

Best,
Randy

Wow.

I’ve hit this kind of issue with GH before, and had initially written out a broad thing around manual additions of things and public repos but hadn’t spotted GH don’t support oauth read only access at all. Even to public repos. Even just raw git allows that! There’s no reason for GH to not allow that!

There’s a side still available to us, which would be manual additions of webhooks + you reading the code using git, but I appreciate that’s significant dev effort. Or a manual push of code?

Source for anyone that hits this in some search, Scopes for OAuth Apps - GitHub Docs

Thanks for the fast response.

1 Like

One thing we suggest to our corporate customers who are concerned about this is having a “streamlit cloud prod” repo separate from code they do not want to share. Obviously, that’s suboptimal, but it does provide a workaround to not have the entire organization’s code read/writable.

I don’t understand why we couldn’t manually add proper webhooks to a public git repo. Why wouldn’t that work?