Does Stoplight really need such expansive Github permissions?

I am reviewing Spotlight and was interested in connecting Stoplight to a private repo in my Github organization but the amount of permissions that the Stoplight app is requesting seemed excessive (see below) – Stoplight is requesting read/write access to all repos in the entire organization, as well as other access to resources like team lists and project boards that hardly seems appropriate.

Are there any plans to instead become a Github app rather than an OAuth app? Then the Github organization administrators can grant Stoplight access to just the necessary repository.

Hi @gscott! We have more information on why we need these scopes in our knowledge base here for reference, but the tl;dr is that these scopes are needed so that you can read and write API specs, JSON Schema models, and other Stoplight-related files to your repositories when working within Studio.

I understand how the “repo” scope (the last item in your screenshot) looks scary, but unfortunately Github doesn’t provide a scope that limits an app just to reading/writing data to a repository itself. It’s currently all or nothing when it comes to repo access.

Here are a couple options if you are concerned with these scopes:

  • The Studio Desktop application is a local desktop app that allows you to work with your files locally on your computer, completely offline.

  • Users of Stoplight Enterprise can bring their own OAuth Application credentials for configuring VCS access, which would bring everything under your org’s control.

Regarding plans to become a Github app, I’m not aware of any immediate plans to do this, but I’ll be sure to forward this idea along to the team for consideration.

I hope that helps! Let me know if anything is unclear.

1 Like

I appreciate the response. Yes, if your team goes the “Github app” approach, repo scope can be provided on a repo by repo basis, not the entire organization. The permissions are more granular.

Thanks for the tip of just working locally. I assume that means I have to do my own commits and pushes which is fine. I set up a test of that and it works. But then if I go this route, won’t I be unable to publish? When I attempt this, Stoplight comes back: “You must be connected to a Git repo.”

And since you don’t offer any way to host the generated docs other than at stoplight.io, wouldn’t you say that the Github permissions are required?

Am I missing anything? Just doing a thorough evaluation here. You all are making something incredibly cool, and I want to use it!

I have this exact same question / issue. I’m VERY hesitant to give Stoplight open permissions to my GitHub account. As such, I’ve created an account using the standard username / password route. But now I have no idea if it’s possible to publish ???

I’m also evaluating this tech for my business. I’d like to use it, but those GitHub permissions though…