The 'allowsDeletions' field requires one of the following scopes: ['public_repo']

[fredgan]

I build scorecard with the latest commit: b0a96fe

I run the command with ./scorecard --checks CII-Best-Practices,Branch-Protection,License,Vulnerabilities,Dangerous-Workflow,Token-Permissions,Code-Review,Packaging,Security-Policy,Signed-Releases,Dependency-Update-Tool,Pinned-Dependencies,Fuzzing,Binary-Artifacts,SAST,Maintained,CI-Tests,Contributors --format json --repo https://github.com/open-telemetry/opentelemetry-cpp

The result is given normally except the following error:

Error: check runtime error: Branch-Protection: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Your token has not been granted the required scopes to execute this query. The 'allowsDeletions' field requires one of the following scopes: ['public_repo'], but your token has only been granted the: [''] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.
2023/08/26 15:51:04 error during command execution: check runtime error: Branch-Protection: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Your token has not been granted the required scopes to execute this query. The 'allowsDeletions' field requires one of the following scopes: ['public_repo'], but your token has only been granted the: [''] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.

Why the allowsDeletions permission is needed to check the ProtectedBranches in the GithubToken?

[raghavkaul]

allowDeletion looks like the GitHub GraphQL field for checking whether a repository allows branches to be deleted - to get this from GraphQL, your GitHub PAT needs the public_repo scope (readme).

[spencerschrock]

allowDeletion looks like the GitHub GraphQL field for checking whether a repository allows branches to be deleted - to get this from GraphQL, your GitHub PAT needs the public_repo scope (readme).

We should get a consistent recommendation across our repos.

For other alternatives, you can read about:

• Fine-grained PATs
• The risk with public_repo scope
• Or just remove Branch-Protection from your list of --checks.

Note: We're hoping to get rid of the need for all this by supporting repository rules: (#3326 which is being implemented in #3354)

[fredgan]

I tried many composions of permissions. I found that the repo and delete:packages should be checked.

[raghavkaul]

What error do you get when the delete:packages permission is unchecked? Scorecard should never attempt to delete packages from GitHub Package Registry.

[fredgan]

@raghavkaul I know Scorecard won't delete packages. I think it should be the issue of Github PAT.

Now I try to reproduce this problem, it seems not as same as what occured at that time. Maybe it has been fixed by Github.

Now, just check repo-public_repo will be OK.