Document what permissions github token for travis CLI login needs

[holyjak]

When creating GitHub personal token to be used with

travis login --pro --github-token xxxx

what permissions does it need? I have noticed that if it works if I give it all the Repo permissions - but a) does it really need all of these? b) does it need any others?

Please update the docs accordingly.

Thank you!

[NathanGibbs3]

This confused me at first too.
I found that it actually uses the token available under my account settings on travis-ci.
--org and --com will of course have different tokens, but you can set up either or both to work with travis CLI.

[nicktimko]

Agree that the permissions should be documented. It's horrifying for some 3rd party script to ask me for my GitHub password and encourages bad behavior. The ideal workflow would be something like the Heroku login which will fire up a localhost server, open your browser to whatever ID provider, then do a redirect with the token back to

In any event, after some monkeying I made a token with public_repo and read:user permissions and that seemed to sate travis login --org --github-token 1234.... The latter read:user may not be required; I started with just that and the script barfed at me. Added public_repo (public may be fine for just --org) and it worked. Didn't try with just it.

[iainjreid]

I'm not sure if it was available when this ticket was opened, but there's a page outlining the permissions you need that can be found here: https://docs.travis-ci.com/user/github-oauth-scopes

In short, and if you're feeling lazy like me, here are the options you need to toggle when setting up a GitHub token to use with the CLI!

Travis CI for Private Projects

• user:email (read-only)
• read:org (read-only)
• repo

Travis CI for Open Source Projects

• user:email (read-only)
• read:org (read-only)
• repo_deployment
• repo:status
• write:repo_hook

[holyjak]

Awesome, thanks!

…

On Wed, Oct 16, 2019, 12:56 PM Iain Reid ***@***.***> wrote: I'm not sure if it was available when this ticket was opened, but there's a page outlining the permissions you need that can be found here: *https://docs.travis-ci.com/user/github-oauth-scopes <https://docs.travis-ci.com/user/github-oauth-scopes>* In short, and if you're feeling lazy like me, here are the options you need to toggle when setting up a GitHub token to use with the CLI! Travis CI for Private Projects - user:email (read-only) - read:org (read-only) - repo Travis CI for Open Source Projects - user:email (read-only) - read:org (read-only) - repo_deployment - repo:status - write:repo_hook — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#645?email_source=notifications&email_token=AAEYSPVH4OAH6KI2QNOQCPDQO3XMNA5CNFSM4GOUMHG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBMBZDA#issuecomment-542645388>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEYSPW6BZJ2FNEHJTABIKLQO3XMNANCNFSM4GOUMHGQ> .

[sbellem]

I'm not sure if it was available when this ticket was opened, but there's a page outlining the permissions you need that can be found here: https://docs.travis-ci.com/user/github-oauth-scopes

Does anyone know what the scope should be for open source projects under .com? The above is for the legacy "version" in which open source projects are under .org.

I know it is mentioned in https://docs.travis-ci.com/user/github-oauth-scopes#travis-ci-for-open-source-and-private-projects:

On https://travis-ci.com, via our GitHub Apps integration, we ask for the following permissions:

• Read access to code
• Read access to metadata and pull requests
• Read and write access to administration, checks, commit statuses, and deployments

But it it does not have the same precision as in https://docs.travis-ci.com/user/github-oauth-scopes#legacy-webhooks, as mentioned in #645 (comment) by @iainreid820.