As of October 2016, Code Climate no longer requires access to all private and public repositories when you OAuth into Code Climate via GitHub. Instead, we request two levels of GitHub permissions sequentially. GitHub has detailed documentation on exactly what each level of permissions permits.
To view the level of GitHub permissions you have granted to Code Climate and permit additional access, visit the GitHub settings area of your Code Climate user's profile here.
When you sign up with Code Climate using GitHub, or you decide to link your GitHub user at any time, you will be prompted to grant an access token with permission to view your user data only. In GitHub's terminology, this token has a scope of
user:email. Code Climate uses this information to identify you when you log in.
If you would like to add or administer repositories as a GitHub linked user, you can go ahead and grant Code Climate access to those repositories on GitHub. Code Climate uses this access to install a read-only SSH key, set up webhooks, and send status updates on pull requests. When you go to add a repo, Code Climate will automatically send you over to GitHub requesting that you grant additional access to your repositories.
Note: Code Climate will never push code to your repos. We only require
write access to install a read-only SSH key used during analysis to view code, and to send status updates to pull requests.
To confirm that you have successfully granted Code Climate access to both your user data and repositories on GitHub, visit your profile settings page. You may also look for Code Climate in the Authorized Applications list under your GitHub user settings, and confirm that you see these permissions:
While Code Climate does not request access to any particular GitHub organization when requesting OAuth permissions, the GitHub user experience around organization permissions can lead to customer confusion.
As far as the OAuth, GitHub does allow org admins to control which apps are allowed access to their org via OAuth App access restrictions.
To limit Code Climate's access to specific organizations, the following conditions must be met:
- It must be a GitHub organization, not a Github user.
- The GitHub organization must have OAuth App access restrictions enabled.
- The GitHub organization must not have previously approved Code Climate’s OAuth application (sometimes this has happened previously without the knowledge of the user).
If any of these 3 conditions are not met, GitHub will show the OAuthing user a screen indicating that access will be granted to the org in question.