Required OAuth Scopes
In General, most users only need to grant the
permission so we can read their GitHub profile.
We never store the token generated for users.
The user's that are defined in the configuration file don't need access to the repository containing the configuration. Our backend does delegated access to it on behalf of the user.
How does our backend get delegated access? Each time SAML.to needs access to the
file, we generate a short-lived token granted by the GitHub Application, read the file, then dispose of it.