In General, most users only need to grant the user:email permission so we can read their GitHub profile.
We never store the token generated for users.
The user's that are defined in the configuration file don't need access to the repository containing the configuration. Our backend does delegated access to it on behalf of the user.
How does our backend get delegated access? Each time needs access to the saml-to.yml file, we generate a short-lived token granted by the GitHub Application, read the file, then dispose of it.
Copy link