

Ask HN: Why does Coveralls need to write to my repo? - jessaustin

I&#x27;m familiar with how Travis (and presumably other CIs) write to a repo&#x27;s &quot;status&quot; to indicate broken builds. This morning, coveralls.io asked for perms to do the same thing, which seemed cool. After I approved that, it <i>then</i> asked for &quot;read and write all public and private repo data&quot;. Github says that perm includes writing the following:<p><pre><code>  Code
  Issues
  Pull requests
  Wikis
  Settings
  Webhooks and services
  Deploy keys
</code></pre>
And also Coveralls has set up a redirect loop so that if I don&#x27;t submit to this indignity, I can&#x27;t use that site at all. Anyone have any ideas about this?
======
joshschreuder
I'm pretty sure it's because of Github's limited scope levels.

Slack has a similar thing, but they call it out in support docs - see here:
[https://slack.zendesk.com/hc/en-
us/articles/201824286-Settin...](https://slack.zendesk.com/hc/en-
us/articles/201824286-Setting-up-the-GitHub-integration)

Actually, I just had a dig through their FAQ and Coveralls answers this:
[https://coveralls.zendesk.com/hc/en-
us/articles/201344219-Wh...](https://coveralls.zendesk.com/hc/en-
us/articles/201344219-Why-do-you-require-write-access-for-private-repos-)

So basically it's a limitation on Github's side, by not providing a read-only
scope for repos.

~~~
jessaustin
I don't have any private repos on Github. And besides it's asking for write on
both public _and_ private. Thanks for the Slack link though, the "no auth"
page linked from there indicates that they just need some webhooks installed,
and users can do that themselves.

Besides, I was perfectly happy with Coveralls' service yesterday. They could
make at least a token effort toward explaining what more they can do with God
access.

~~~
joshschreuder
It's because the Github 'repo' scope is for access to public and private
repos, in both read and write modes.

The Github scopes are not finely grained enough for applications using them to
ask for only the minimal permissions they need.

I do agree that Coveralls should explain this better, either before they ask
for the permissions, or at least in their FAQs.

------
gnrlbzik
Good question, thanks for posting. May be stackoverflow.com is better place to
ask this though?

~~~
jessaustin
Maybe? At this point I don't care enough to wade into that. A _worse_ place,
however, would be the Coveralls "Community" section. Of the five actual
questions posted there, zero have been answered over a period of four months.
(I had to use incognito mode to see this, due to the redirect loop noted
above.)

Whatever, it's free. I'll stop bitching.

~~~
gnrlbzik
I am planning to use them, besides this issue do you like the service?

~~~
jessaustin
Presumably, if one were comfortable with the perms they're now requiring, one
would be happy with the service. I haven't given them the perms, so since they
changed the service to require them I can't update my config in any way, or
add new repos. I guess eventually I'll either figure out a new coverage
service to use or I'll just handle my own coverage icons. It seems that an npm
script could generate an svg icon based on the output of the coverage tool,
and the readme could just point at that.

