I have a public github repo (I created a few years ago). I have two factor authentication enabled. I want to create a github API token to be able to push some changes to my repo.
What is the minimal set of scopes that I must select in the github "New personal access token" page to be able to push changes to this repo?
I want to avoid to give any rights that are unnecessary to the token.
According to the GitHub documentation, the scope for public repositories is public_repo, and for private repositories is repo.
A token with one of those scopes is the most limited access possible for Git push or pull access; however, that token can access all public (respectively, private) repositories and can also be used for certain API access as well. If that's of concern to you, you can use an SSH key for your personal account, or to restrict it even further, a read-write deploy key for the repo in question.
Expanding on Yogev's answer you can do the following to create a Fine-grained personal access token (aka «PAT») with the least necessary privileges to commit changes to your repo:
Repository Access select Only select repositories and select the repo that you want to work with (authenticated pulls, commits, pushes etc.)Permissions choose Repository permissions and set only Contents to Access level -> Read and write.Then add the PAT with context secrets to your GitHub workflow/action, e.g.:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
token: ${{ secrets.NAME_OF_YOUR_PAT }}
More documentation also here.
Note: Fine-grained personal access tokens are still in beta (as of beginning of 2023) and subject to change. Discussion here.
Although it's been two years since the question was asked and answered by @bk2204, GitHub has since introduced a solution.
In October 2022, GitHub introduced a feature called "fine-grained personal access tokens". https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github
Personal access tokens (classic) are given permissions from a broad set of read and write scopes. They have access to all of the repositories and organizations that the user could access, and are allowed to live forever. As an example, the repo scope provides broad access to all data in private repositories the user has access to, in perpetuity.
Fine-grained personal access tokens, by contrast, are given permissions from a set of over 50 granular permissions that control access to GitHub’s organization, user, and repository APIs. Each permission can be granted on a ‘no access’, ‘read’ or ‘read and write’ basis. As an example, you can now create a PAT that can only read issues and do nothing else – not even read the contents of a repository.
See @petezurich comment for usage instructions.
As per JetBrains the Minimal set of scopes which are require are basically -> repo, workflow, read:org, gist.
