Scary permissions being asked for GitHub sync

[ChanSek]

While syncing with GitHub, it simply asks for all my private and public repositories.

Here is a screenshot of how it looks:

Though it might not be misused by the app, it would always be a great idea to have a custom message displayed at the app side before even going forward with syncing.

In this way, user knows what Press is going to do with all the repositories and why it is asking.

[ChanSek]

Well, there could be a different approach taken to solve this problem.

Assuming your target user base are tech friendly, how about just having a simple EditText in the app asking for the repository URL and only sync that?

[saket]

Agree that that is quite scary. I'll add a rationale dialog to try explaining the permission before opening the auth page.

Assuming your target user base are tech friendly, how about just having a simple EditText in the app asking for the repository URL and only sync that?

The URL isn't sufficient, a private SSH key is required as well for granting Press access to your repository. Expecting users to generate an SSH key-pair on their computer and paste their private key in the app is a huge entry barrier. I could consider offering it as an option for paranoid users in the future, but I don't know if it's worth putting in effort right now.

[saket]

I should also add that this is the smallest set of permissions a GitHub app can request for adding a deploy key to a single git repository. I wish there was a narrower permission.

FWIW Press deletes your auth token right after you choose a repository: GitHostIntegrationPresenterTest.kt#L203:L216.