To allow creating GitHub fine-grained personal access tokens, an organization-level enrollment must be performed at https://github.com/organizations/nodejs/settings/personal-access-tokens-onboarding.
The classic GitHub personal access tokens are not restricted to a particular set of repositories, while the new GitHub fine-grained token allows being restricted to a particular repository with specific permissions to reduce security scopes. Thus I'd request to enable fine-grained tokens for the organization.
The options for the enrollment include:
- Restrict access via fine-grained personal access tokens
By default, fine-grained personal access tokens cannot access content owned by your organization via the Public API or Git. This includes both public and private resources such as repositories.
- Require approval of fine-grained personal access tokens
Access requests by organization members can be subject to review by administrator before approval.
- Restrict access via personal access tokens (classic)
By default, personal access tokens (classic) can access content owned by your organization via the GitHub API or Git over HTTPS. This includes both public and private resources such as repositories.
I believe we have tools like @node-core/utils that already use classic personal access tokens, so they must be allowed to access the organization's resources. And given that personal access token creations and accesses do not require approval, my suggestions would be:
- allow fine-grained tokens, 2) do not require approval, 3) allow access via classic personal access tokens.
Refs: nodejs/import-in-the-middle#123 (comment)
To allow creating GitHub fine-grained personal access tokens, an organization-level enrollment must be performed at https://github.com/organizations/nodejs/settings/personal-access-tokens-onboarding.
The classic GitHub personal access tokens are not restricted to a particular set of repositories, while the new GitHub fine-grained token allows being restricted to a particular repository with specific permissions to reduce security scopes. Thus I'd request to enable fine-grained tokens for the organization.
The options for the enrollment include:
By default, fine-grained personal access tokens cannot access content owned by your organization via the Public API or Git. This includes both public and private resources such as repositories.
API and Git access will be allowed using approved organization member's fine-grained personal access tokens
Organization members will not be allowed to access your organization using a fine-grained personal access token
Access requests by organization members can be subject to review by administrator before approval.
All access requests by organization members to this organization must be approved before the token is usable.
Tokens requested for this organization will work immediately, and organization members are not required to provide a justification when creating the token.
By default, personal access tokens (classic) can access content owned by your organization via the GitHub API or Git over HTTPS. This includes both public and private resources such as repositories.
API and Git access will be allowed using an organization member's personal access token (classic)
Organization members will not be allowed to access your organization using a personal access token (classic)
I believe we have tools like @node-core/utils that already use classic personal access tokens, so they must be allowed to access the organization's resources. And given that personal access token creations and accesses do not require approval, my suggestions would be:
Refs: nodejs/import-in-the-middle#123 (comment)