Minimal set of scopes to push to github using an access token

Question

I have a public github repo (I created a few years ago). I have two factor authentication enabled. I want to create a github API token to be able to push some changes to my repo.

What is the minimal set of scopes that I must select in the github "New personal access token" page to be able to push changes to this repo?

I want to avoid to give any rights that are unnecessary to the token.

score 22 · Accepted Answer · answered Sep 15 '20 at 22:58

According to the GitHub documentation, the scope for public repositories is public_repo, and for private repositories is repo.

A token with one of those scopes is the most limited access possible for Git push or pull access; however, that token can access all public (respectively, private) repositories and can also be used for certain API access as well. If that's of concern to you, you can use an SSH key for your personal account, or to restrict it even further, a read-write deploy key for the repo in question.

petezurich · Answer 2 · 2023-01-14T21:01:19.743

Expanding on Yogev's answer you can do the following to create a Fine-grained personal access token (aka «PAT») with the least necessary privileges to commit changes to your repo:

Create a fine grained PAT with these steps.
Under Repository Access select Only select repositories and select the repo that you want to work with (authenticated pulls, commits, pushes etc.)
Under Permissions choose Repository permissions and set only Contents to Access level -> Read and write.

Then add the PAT with context secrets to your GitHub workflow/action, e.g.:

runs-on: ubuntu-latest
steps:
  - uses: actions/checkout@v3
    with:
      token: ${{ secrets.NAME_OF_YOUR_PAT }}

More documentation also here.

Note: Fine-grained personal access tokens are still in beta (as of beginning of 2023) and subject to change. Discussion here.

thank you for this. I was trying to do the most basic push/pull which is absolutely buried in the github docs — Frank Willmore, Feb 15 '23 at 00:17
Thanks! Thr permissions list is too long and "Contents" too vague given that's what 99% of people will want to use it for. — Kevin, Jul 09 '23 at 00:20

score 2 · Answer 3 · answered Nov 23 '22 at 16:25

Although it's been two years since the question was asked, there is now a solution from GitHub.

GitHub recently introduced a new feature called "fine-grained personal access tokens". https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github

Personal access tokens (classic) are given permissions from a broad set of read and write scopes. They have access to all of the repositories and organizations that the user could access, and are allowed to live forever. As an example, the repo scope provides broad access to all data in private repositories the user has access to, in perpetuity.

Fine-grained personal access tokens, by contrast, are given permissions from a set of over 50 granular permissions that control access to GitHub’s organization, user, and repository APIs. Each permission can be granted on a ‘no access’, ‘read’ or ‘read and write’ basis. As an example, you can now create a PAT that can only read issues and do nothing else – not even read the contents of a repository.

score 0 · Answer 4 · answered Jul 22 '23 at 18:26

0

As per JetBrains the Minimal set of scopes which are require are basically -> repo, workflow, read:org, gist.

answered Jul 22 '23 at 18:26

sp_360

1
1

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jul 27 '23 at 12:35

Minimal set of scopes to push to github using an access token

4 Answers4

Linked