3

I have a private repository that belongs to an organization setup with https://codecov.io/. The code coverage reports are available at https://codecov.io/gh/myorganization/our-repository. However, when I click that last link I get this: enter image description here

Even though other people in my organization are able to view the report. Well ok, I click "Add private scope" to continue and am met with this: enter image description here

At the bottom there are the three organizations I'm a member of on GitHub. My problem is that I only want to give codecov access to one of these. Is it possible to "uncheck" the others, and only give codecov access to a single organization? I've tried clicking the green checkmarks. That just takes me to this page.

L42
  • 3,052
  • 4
  • 28
  • 49

3 Answers3

2

I asked GitHub about this via email, and got this reply:

It is not currently possible to lock down a Personal Access Token, or an OAuth token generated by an OAuth application, to only have access to specific repositories. When a token is generated with the repo scope, that token grants access to all the repositories, public and private, that the corresponding user has access to.

However, I did want to mention GitHub Apps as a possible option. GitHub Apps offers more detailed control over what repositories the 3rd party application has access to.

So it is not possible to limit which organizations codecov.io would get access to.

L42
  • 3,052
  • 4
  • 28
  • 49
1

This seems to have changed recently. In early 2022, it is possible to grant access individually if you are allowed to do that, or to ask the org about it.

I suspect the first org in my screenshot has already had access granted by someone else.

Screenshot of the github auth screen for codecov. It shows three organisations, one with a green tick that seems to indicate it's already granted, one that has a grant button, and one that has a request button

simbabque
  • 53,749
  • 8
  • 73
  • 136
0

Yeah this is a limitation with how GitHub authorizes app access.

According to the docs:

When an organization has not set up OAuth App access restrictions, any OAuth App authorized by an organization member can also access the organization's private resources.

The organizations with the green check mark must not have OAuth App access restrictions in place. The only way around this is to have those organizations enable OAuth App access restrictions.

tyler22
  • 1