I'm reading the documentation on Scopes for OAuth Apps and it's not clear to me if it's possible to grant read access to private repos, without providing write access.
The repo scope grants full access to read and write everything. This works but it's more permissive than what we would like.
The scope public_repo is only for public repos as its name suggests, and I'm not sure if read:repo_hook is what I need or not.
What's the best suited scope for my use case of reading pull request by passing a commit hash as a parameter to Octokit?
For OAuth apps, the most granular scope is
repoorpublic_repo, depending on whether you need access to all repositories or only public ones.If you want more granular permissions, you need to use GitHub Apps, which also have OAuth featues (GitHub calls these user-to-server tokens): https://docs.github.com/en/developers/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps.
GitHub Apps need to be installed by users on repositories in order to grant access, and they have a
pull_requestread or write permission, depending on what you need.