An organization I work with wants to enable the Github plugin on their Mattermost, tied to their Github organization.
I am looking at the scopes required as part of authorizing the app, and don’t understand why the app needs the ability to do things such as write deploy keys or even have ‘write’ access to code or ‘settings’.
We don’t want, for example, the plugin to have the ability to change a setting, such as modifying branch protection rules or other security settings.
Is there no way to have the plugin merely:
- Be able to ‘subscribe’ to repositories or unsubscribe from them, like Slack’s Github integration
- react to things it ‘sees’ in a passive sense, and report them as messages into Mattermost (without having to add individual webhooks in Github that hit Mattermost endpoints, I guess)? I don’t imagine I’m the first to require that basic functionality e.g no write access.
Thanks in advance!