GitHub App repository collaborator updates
Over in rust-ghostflow!189 (merged) I posted a comment justifying a subset of permissions needed for a GitHub App. We dropped "Organization members: Read-only" from the list of needed permissions to avoid requesting organization-level permissions and because it is not needed to read the list of collaborators and access levels from a repository.
However, this also prevents us from getting event notifications when organization membership changes in a way that affects available collaborators on a repository. From experimentation, setting Organization members to Read-only permission (instead of No Access) provides these events:
-
Member: Collaborator added to, removed from, or has changed permissions for a repository.
https://developer.github.com/v3/activity/events/types/#memberevent -
Team: Team is created, deleted, edited, or added to/removed from a repository.
https://developer.github.com/v3/activity/events/types/#teamevent -
Team add: Team added or modified on a repository.
https://developer.github.com/v3/activity/events/types/#teamaddevent -
Membership: Team membership added or removed.
https://developer.github.com/v3/activity/events/types/#membershipevent -
Organization User invited to, added to, or removed from an organization.
https://developer.github.com/v3/activity/events/types/#organizationevent
These events are useful for knowing when we need to refresh the list of collaborators associated with a repository. It would be nice to use them if the organization is willing, but otherwise we need a fallback solution.
We could add a time-to-live on the collaborators list and re-query when the list is expired.