Is there a plan to *stop* Travis requesting read / write access on travis-ci.com login?

At the moment travis-ci.com have oauth scopes that require read / write access to all repos which is a risky thing to give to a third party.

travis-ci.org worked without this scope.

Is there a plan and timeline to remove this scope from travis-ci.com?

2 Likes

Yes. We will be moving to integration via GitHub Apps, which provides more granular permissions. See https://blog.travis-ci.com/2018-09-27-deprecating-github-commit-status-api-for-github-apps-managed-repositories

FYI, the “Set up your open source project now” button on https://travis-ci.com/plans leads people into this “risky” situation.

It seems like that link should direct to travis-ci.org until the open source permissions are fixed on travis-ci.com.

To clarify…if you want to “set up your open source project now”, consider NOT clicking the “Set up your open source project now” button, because it takes you to travis-ci.com/signin which requests read/write permissions for ALL repos in your github account. Instead, consider going to sign up at travis-ci.org.

1 Like

Any updates on this? Travis-ci.com still requires GitHub “Third Party Access” with access to all my private repos to operate.

1 Like

Polite bump for an update here. The sign-in permissions should not need write access. This is not very clear on sign-in, and some users are granting this write permission without understanding what they’re doing.

1 Like

Hello, is there any ETA when travis-ci.com will fix signup permissions? This is my first experience with travis but was very confused by those 2 domains and mostly that .org needed strict permissions but .com required access to all the code - read and write too.

This is probably big blocker for many people and organizations wanting to use Travis. Per project access to code is very important.

Cause looks like that you recommend people to use .com domain for everyone (public, private repos) but it’s much less secure in terms of granularity of permissions.

image

This is how it looks right now.

FWIW it hasn’t changed during the past year at all.

October 2018:

I’d advice to not grant Travis.com authorization in current state.

Imprint