Handle Fine-Grained Personal Access Tokens in GitHub Import
We became aware that GitHub's Fine-grained personal access tokens handle scopes a little differently to their 'classic' tokens. Fine Grained tokens are still in beta
. See https://docs.github.com/en/rest/authentication/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28
With a classic token, the repo
scope is required to import resources from GitHub, with the repo:org
scope required to import collaborators.
Fine-grained tokens use 'permissions', which are configurable on the repository.
For importing public repositories without collaborators, the repository access required is the basic one: Public Repositories (read-only)
For importing public repositories with collaborators, the repository access required is: All Repositories (read-only), with an additional Admin read access permission, however one of commit-status
contents
discussions
issues
pages
prs
may also allow access to collaborators (I haven't had time to test them individually).
For importing private repositories with or without collaborators, additional permissions are needed to access all resources: All Repositories (read-only) with additional read access permissions for commit-status
contents
discussions
issues
pages
prs
. PLEASE NOTE: admin
access is not required.
It's also possible to create a Fine-grained token for individual repositories, which would also need the same permissions to import resources.
We need to discuss how we should handle Fine-grained tokens:
- As they are still in
beta
do we want to support them? - Should we instead advise against using fine-grained tokens?
Either way we will need to update our documentation.