At the moment travis-ci.com have oauth scopes that require read / write access to all repos which is a risky thing to give to a third party.
travis-ci.org worked without this scope.
Is there a plan and timeline to remove this scope from travis-ci.com?
Yes. We will be moving to integration via GitHub Apps, which provides more granular permissions. See https://blog.travis-ci.com/2018-09-27-deprecating-github-commit-status-api-for-github-apps-managed-repositories
FYI, the “Set up your open source project now” button on https://travis-ci.com/plans leads people into this “risky” situation.
It seems like that link should direct to travis-ci.org until the open source permissions are fixed on travis-ci.com.
To clarify…if you want to “set up your open source project now”, consider NOT clicking the “Set up your open source project now” button, because it takes you to travis-ci.com/signin which requests read/write permissions for ALL repos in your github account. Instead, consider going to sign up at travis-ci.org.
Any updates on this? Travis-ci.com still requires GitHub “Third Party Access” with access to all my private repos to operate.
Polite bump for an update here. The sign-in permissions should not need write access. This is not very clear on sign-in, and some users are granting this write permission without understanding what they’re doing.
Hello, is there any ETA when travis-ci.com will fix signup permissions? This is my first experience with travis but was very confused by those 2 domains and mostly that .org needed strict permissions but .com required access to all the code - read and write too.
This is probably big blocker for many people and organizations wanting to use Travis. Per project access to code is very important.
Cause looks like that you recommend people to use .com domain for everyone (public, private repos) but it’s much less secure in terms of granularity of permissions.
This is how it looks right now.
FWIW it hasn’t changed during the past year at all.
October 2018:
I’d advice to not grant Travis.com authorization in current state.
I would be fine if there was an official explanation what exact functions need all those access rights.
I guess they are probably justified – e.g. to be able to make changes right from a build – but no idea how much.
It seems like travis-ci.org is being migrated over to travis-ci.com which means that folks will have to make a decision, grant this permission or move to a different service.
Oh, I see. I revoked the OAuth app and didn’t lose access to travis-ci.com so I thought it was no longer needed.
But some things didn’t work for me (e.g. "Travis CI - Branch Expected — Waiting for status to be reported" despite travis-ci.com enabled for my fork and "No status checks found" trying to add a branch protection rule despite Travis integration set up) – this may be the reason. So I guess it’s still necessary.
Even with the GitHub app, after you select “Only select repositories”, you get redirected to travis-ci.com where you have to “SIGN IN WITH GITHUB” and then have to give travis-ci full access to all your repositories 
Will the permission issues mentioned here be solved before the .org to .com migration deadline?
The FAQ says they’re working on it:
Q. Why is travis-ci.com asking for write access to my repositories? #
A. We’re aware that when migrating your GitHub repositories to travis-ci.com you will be prompted to give Travis CI write access to your repositories - this is due to us currently using GitHub OAuth for user authentication and the message is due to the way the OAuth scopes are shaped. The Travis CI platform actually uses the GitHub App for actual repository-level access - it does not require write access to all of your repositories and you can configure that.
We’re working hard to resolve this and use just the GitHub App for both user authentication and repository-level access, but until then we will be clarifying the situation in our documentation and user interface.
This makes no sense. Github has Webhook scope. This is what travis-ci.org uses. Requesting full write access to all public and private repositories is plain ludicrous, how is anyone accepting these terms?
