Every time I get to this page(https://imgur.com/a/V9gGI0y) I just feel a sense of dread. It feels like the Github security team is asleep at the wheel when they let UI like this exist. Even the immediately linked documentation isn't immediately actionable (https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps).
Ideally, there should be a set of scopes recommended by their security team for different workflows/applications/scenarios... but without that being available from what I can see... I've come here.
Hackernews what are your recommended OAuth scopes for access tokens for different scenarios? What best practices are you following to keep your account secure?
How about least privilege first, then try a build cycle and re-assess any missing permissions flagged up?