CircleCI now has scope to see my private repositories after simply logging in via GitHub OAuth

I had previously only authorized CircleCI to access public repositories. This was on March 3rd. On March 25th, the admin of an open source org accepted a request I made to also authorize that organization on CircleCI. I had been logged in from my laptop and successfully running workflows in CircleCI by committing to the public repo in that organization on GitHub.

Today, April 5th, I signed in from my mobile phone web browser with GitHub because I wanted to check on a job I had run and wasn’t in front of my laptop. Since I wasn’t logged in, the system had asked for authorization. I mistakenly assumed this was just part of the normal GitHub OAuth flow, so I clicked “authorize”.

I then got an email from GitHub that says the permissions were changed from “public_repo, read:org, and user:email” and that the app, CircleCI, was granted the additional scope “repo”. I confirmed that I now see private repos in the app when before I had confirmed they were not visible.

I had been building on an open source public project, in a completely different organization, for quite some time now, at least a week or two. How can I eliminate the “repo” scope and go back to just public repos?

I know I can click “Revoke” on GitHub’s${CIRCLE_CI_APP_ID} page, but does that mean I need to re-request scopes from the admin of the organization again?

My feedback on this is that the app shouldn’t request more permissions on my personal account just because I’m logging in to CircleCI to see jobs in a completely different organization.

Thank you for any assistance on putting this back to public repos only,

1 Like