Proposed features/changes:
- Show owned repos in the repo picker UI by default (currently only starred repos are appearing)
- Allow to add a custom repo to the list
special +1 to the custom list (local), as I would appreciate it we wouldnât have to go âpublicâ with our lists.
2 Likes
- Expose attribute with repo path (useful for automations e.g. building url)
This seems like the configuration is just missing a scope in the Authorization step. I believe from looking at the the OAuth scopes the integration would just need to add repo to enable both public repos and the privately owned repos. Is there a reason this was chosen to not be done? Looking at the code for the integration it doesnât request any scopes which only grants it access to public information.
Perhaps this could be an option in the config_flow asking the user if they wish to include their private repos. If they answer yes you add the scope if they answer no you keep the call the way it is.
1 Like
As a follow up question to this is it because the repo scope has read/write access and github doesnât allow for readonly access via the scopes?
Was there any movement on this? Iâd love to be able to track a few private repositories for automation purposes!
Me too. Why not allow private repos to be monitored?
There wasnât any response on this thread. My only assumption is itâs a security thing, as the scope required to get private repositories is a bit excessive.
Grants full access to public and private repositories including read and write access to code, commit statuses, repository invitations, collaborators, deployment statuses, and repository webhooks. Note: In addition to repository related resources, the
reposcope also grants access to manage organization-owned resources including projects, invitations, team memberships and webhooks. This scope also grants the ability to manage projects owned by users.
I can only assume that the fact there isnât a read only scope for private repositories is the reason for them not implementing this as of yet. Home Assistant has been extremely security conscious up to this point and Iâm grateful even though I would love to be able to see my own private repos as well.
Are you sure it is not resolved yet? I can see my repos which are not starred.
I think that even documentation has changed and mentions now that the created by you repos are listed
Although it is still little bit ambiguous.
Yes, I am certain. When the home assistant initiates an authentication request it does not ask for the necessary scope to retrieve private repositories. It can however retrieve personal repositories that are public and not starred.
I have verified on my home assistant instance and by looking at the integrations code.
I will say that since you, @maxwroc, are the OP of this thread, the determination does fall to you if your initial reason for starting the thread has been resolved. I will say others have since expanded potentially what your original intent was though.
This feature request was created for a different purpose. In the past on the ârepo pickerâ only the starred repos were showing up. So even your repos which were public were not there. It was fixed at some point (donât know when exactly).
Iâm not sure whether it would be worth to create a new FR or use this one for this (another but related) ask. Up to you
I maintain the integration, and until GitHub add readonly tokens with repo scope, private will not be added.
You can however set up event based template sensors for those and fire a webhook to your instance.
Fine-grained PATs are now in beta. Any chance of this getting another look?