Excessive permissions required to build from GitHub

In order to enable automated Snapcraft.io builds from a GitHub repository I’m asked to grant the following permissions to build-snapcraft-io:

Repository webhooks and services Admin access

This application will have full access to repository webhooks and services (no direct code access).

Organizations and teams Read-only access

This application will be able to read your organization, team membership, and private project boards.

This doesn’t look right to me. Why “webhooks and services” access is requested to all my repositories?

Webhooks and services is a single permission. The build service cannot request just webhooks without services. The reason it is required is the build service requires GitHub to send a webhook ping when the main branch of your configured repository is updated. This cannot be set up without the permission requested above.

So it’s not possible to grant these permissions on a per-repository basis? Even worse, it looks like GitHub prohibits a single person from opening a second account to work around this limitation.

I believe github restricts the permissions to per-organisation (your personal namespace counts as an organisation in this sense) so you can only restrict t he permission grant to a group of repositories under a https://github.com/organisation-name/* equivalent namespace.

I just created a separate organization account, but the auth dialog still says that build-snapcraft-io wants to access my personal GitHub account (there is an option to also give access to an organization).

Actually, GitHub provides an intuitive interface for adding webhooks to a selected repository.

However, I don’t know what specific payload should be sent to Snapcraft. I also can’t access the repository selection page on snapcraft.io web portal without first giving the excessive GitHub permissions.

I did some further research, it turns out Snapcraft requests access to the personal GitHub account, access to the resources owned by organizations associated with the personal account is restricted by default. Still, it would be safer to just let developers setup the webhook manually on a per-repo basis.