HACKER Q&A
📣 ipselon

How can the Vercel GitHub App create a repository without my permission?


Hello!

I'm a bit surprised! How is it possible for the Vercel GitHub App to create a new repository on my GitHub account, even though I only gave it permission to access one of my existing repositories?

Also, I found out that the GitHub App doesn't have access to an API that can create new repositories on a personal account.

Even though the Vercel GitHub App acts on my behalf, it didn't ask for permission to access the 'repo' scope when requesting a personal access token.

  👤 andrewfromx Accepted Answer ✓
"To create a new repository using the GitHub API, your personal access token needs to have the repo scope or permission. This permission grants full control of private and public repositories, including the ability to create new repositories." You probably give the "repo" scope but it was phrased as just giving access to one repo.