Setting GitHub OAuth Permission Levels

Granting access to users, repositories, and organizations

Code Climate requests the following GitHub permissions:

  • user:email - requested when signing up using GitHub. An email address is required to create a Code Climate user.

  • public_repo - requested when adding a public repo to Code Climate. This access allow us to install a read-only SSH key, set up a webhook, and write commit statuses to public repos.

  • repo - requested when adding a private repository to Code Climate. This access allow us to install a read-only SSH key, set up a webhook, and write commit statuses to private repos.

The repo and public_repo scopes grant read and write access to code. While we will never write code to your repository, currently these OAuth scopes are the most narrow that GitHub supports for our use case (there is no repo:read e.g.).

To view and edit Code Climate's GitHub permissions, visit the GitHub settings area of your Code Climate user profile.

Access to Organizations

While Code Climate does not request access to any particular GitHub organization when requesting OAuth permissions, the GitHub user experience around organization permissions can lead to customer confusion.

As far as the OAuth, GitHub does allow org admins to control which apps are allowed access to their org via OAuth App access restrictions.

To limit Code Climate's access to specific organizations, the following conditions must be met:

  1. It must be a GitHub organization, not a Github user.
  2. The GitHub organization must have OAuth App access restrictions enabled.
  3. The GitHub organization must not have previously approved Code Climate’s OAuth application (sometimes this has happened previously without the knowledge of the user).

If any of these 3 conditions are not met, GitHub will show the OAuthing user a screen indicating that access will be granted to the org in question.

For customers who would like Code Climate to analyze their personal, private repositories, the repo scope provides us access to these repositories. GitHub does not currently support an OAuth permission which grants organizational access without personal access.

Troubleshooting

To confirm that you have successfully granted Code Climate access to both your user data and repositories on GitHub, visit your profile settings page. You may also look for Code Climate in the Authorized Applications list under your GitHub user settings, and confirm that you see these permissions:

Setting GitHub OAuth Permission Levels

Granting access to users, repositories, and organizations