Feature request: read-only access tokens

[pnacht]

Currently repo access tokens can only be generated with read-write permissions. It'd be useful to have read-only tokens.

For example, I mostly develop in R, and to update my packages based on the code stored in a private repo I need to have an access token stored in my machine. That's great, but given the use-case (strictly for updating packages from a repo), I only need this token for reading repos, never for writing. It'd therefore be optimal if I didn't have to give the token write permissions it should never use.

I've seen suggestions on SO of creating a fake contributor with read-only permissions and then generating the token with read-write (effectively read-only) permissions for that contributor, but that seems more like a workaround than a solution.

[Katsute]

github/roadmap#184

• Fine-grained permissions across specific features

[kkohrt]

16 major permission categories and 23 "fine-grained" ones, yet no "read only"? That seems like such a basic security permission, I cannot believe it is not in there somewhere.
You can grant read-only for apps:
https://docs.github.com/en/developers/apps/managing-github-apps/editing-a-github-apps-permissions
Or as a role on an organization's repos:
https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization
And even read-only access to org data
https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps

Is there any way to make this work?

[HariSekhon]

This is a common long-running request:

#18666

#33057

[HariSekhon]

This has finally been addressed:

https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/

However, fine-grained access tokens currently have an expiry of max 1 year, limiting their usefulness for things like CI/CD.

Many people are requesting no expiry tokens in the feedback thread here:

#36441