To clarify…if you want to “set up your open source project now”, consider NOT clicking the “Set up your open source project now” button, because it takes you to travis-ci.com/signin which requests read/write permissions for ALL repos in your github account. Instead, consider going to sign up at travis-ci.org.
Polite bump for an update here. The sign-in permissions should not need write access. This is not very clear on sign-in, and some users are granting this write permission without understanding what they’re doing.
Hello, is there any ETA when travis-ci.com will fix signup permissions? This is my first experience with travis but was very confused by those 2 domains and mostly that .org needed strict permissions but .com required access to all the code - read and write too.
This is probably big blocker for many people and organizations wanting to use Travis. Per project access to code is very important.
Cause looks like that you recommend people to use .com domain for everyone (public, private repos) but it’s much less secure in terms of granularity of permissions.
It seems like travis-ci.org is being migrated over to travis-ci.com which means that folks will have to make a decision, grant this permission or move to a different service.
Even with the GitHub app, after you select “Only select repositories”, you get redirected to travis-ci.com where you have to “SIGN IN WITH GITHUB” and then have to give travis-ci full access to all your repositories
Q. Why is travis-ci.com asking for write access to my repositories? #
A. We’re aware that when migrating your GitHub repositories to travis-ci.com you will be prompted to give Travis CI write access to your repositories - this is due to us currently using GitHub OAuth for user authentication and the message is due to the way the OAuth scopes are shaped. The Travis CI platform actually uses the GitHub App for actual repository-level access - it does not require write access to all of your repositories and you can configure that.
We’re working hard to resolve this and use just the GitHub App for both user authentication and repository-level access, but until then we will be clarifying the situation in our documentation and user interface.
This makes no sense. Github has Webhook scope. This is what travis-ci.org uses. Requesting full write access to all public and private repositories is plain ludicrous, how is anyone accepting these terms?