Github integration (HA >= 2020.2): owned repos on the repo picker list

Proposed features/changes:

1. Show owned repos in the repo picker UI by default (currently only starred repos are appearing)
2. Allow to add a custom repo to the list

special +1 to the custom list (local), as I would appreciate it we wouldn’t have to go ‘public’ with our lists.

3. Expose attribute with repo path (useful for automations e.g. building url)

This seems like the configuration is just missing a scope in the Authorization step. I believe from looking at the the OAuth scopes the integration would just need to add repo to enable both public repos and the privately owned repos. Is there a reason this was chosen to not be done? Looking at the code for the integration it doesn’t request any scopes which only grants it access to public information.

Perhaps this could be an option in the config_flow asking the user if they wish to include their private repos. If they answer yes you add the scope if they answer no you keep the call the way it is.

As a follow up question to this is it because the repo scope has read/write access and github doesn’t allow for readonly access via the scopes?

Was there any movement on this? I’d love to be able to track a few private repositories for automation purposes!

Me too. Why not allow private repos to be monitored?

There wasn’t any response on this thread. My only assumption is it’s a security thing, as the scope required to get private repositories is a bit excessive.

Grants full access to public and private repositories including read and write access to code, commit statuses, repository invitations, collaborators, deployment statuses, and repository webhooks. Note: In addition to repository related resources, the repo scope also grants access to manage organization-owned resources including projects, invitations, team memberships and webhooks. This scope also grants the ability to manage projects owned by users.

I can only assume that the fact there isn’t a read only scope for private repositories is the reason for them not implementing this as of yet. Home Assistant has been extremely security conscious up to this point and I’m grateful even though I would love to be able to see my own private repos as well.

Are you sure it is not resolved yet? I can see my repos which are not starred.

I think that even documentation has changed and mentions now that the created by you repos are listed

image709×98 7.57 KB

Yes, I am certain. When the home assistant initiates an authentication request it does not ask for the necessary scope to retrieve private repositories. It can however retrieve personal repositories that are public and not starred.

I have verified on my home assistant instance and by looking at the integrations code.

I will say that since you, @maxwroc, are the OP of this thread, the determination does fall to you if your initial reason for starting the thread has been resolved. I will say others have since expanded potentially what your original intent was though.

This feature request was created for a different purpose. In the past on the “repo picker” only the starred repos were showing up. So even your repos which were public were not there. It was fixed at some point (don’t know when exactly).

I’m not sure whether it would be worth to create a new FR or use this one for this (another but related) ask. Up to you

I maintain the integration, and until GitHub add readonly tokens with repo scope, private will not be added.

You can however set up event based template sensors for those and fire a webhook to your instance.

Fine-grained PATs are now in beta. Any chance of this getting another look?

can you go into more details on this workaround? Does anyone know if this or a similar method is documented anywhere?

Would be great to add this now that fine grained tokens are a thing and you can select readonly access per repository