"Repository webhooks and services" should not be required

[annevk]

I should not be required to give this tool write access to repositories (or any kind of access even) to mark something as non-substantive.

[dontcallmedom]

The reason it asks that access is because the tool then posts a comment on the issue under the name of the person who did the non-substantive assessment (to make that assessment part of the issue record).

I agree it doesn't feel ideal to ask for so much privilege - do you have a suggestion for an alternative behavior?

[annevk]

Two things come to mind:

1. If possible, scope the read/write access to organizations belonging to the W3C. Presumably that's non-controversial.
2. Give the bot access to all those organizations and make the bot comment with a link to the person who did the assessment (the link could be to their W3C profile if you don't trust GitHub usernames to be stable or some such).

[dontcallmedom]

Re 1, OAuth-based github auth has very limited granularity unfortunately.

I'll look into providing #2 - meanwhile, if you're stuck with marking a PR as non-substantive, feel free to reach out to me.

[annevk]

Trying to login today I see:

It seems this really shouldn't be required for a login.

(Issue that prompted me to look is WICG/webcomponents#865.)

[dontcallmedom]

@deniak any chance you could help with this?

I think what we would need is to distinguish an admin login flow (the one we currently have) from a regular contributor flow (which would only validate that the person has a working github account we can reference in a comment posted on the relevant pull request when marking it as non-substantive).

[deniak]

@deniak any chance you could help with this?

Sure, I'll see what I can do.

[annevk]

Thanks for fixing this @deniak!