Hi Folks
While authorizing a new OAuth app for my GitHub account I noticed that
the 'php' organization is one of the few does not have the OAuth
"allowed application list" feature enabled that requires explicit
approval by an organization owner before an OAuth app is allowed to
access private resources within the organization (that includes write
access to the repositories). While I trust the OAuth applications I
approve for my repositories, I don't necessarily trust them with the PHP
organization's resources.
This allow-list was later added by GitHub and I assume the PHP
organization predates its introduction. It is enabled by default for any
newly created GitHub Organization.
An organization owner can enable the allow-list here:
https://github.com/organizations/php/settings/oauth_application_policy
and I would recommend doing so.
Documentation is
https://docs.github.com/en/organizations/restricting-access-to-your-organizations-data/about-oauth-app-access-restrictions
After this allow-list is enabled, an owner can grant the existing
intentionally added apps (e.g. Travis, Cirrus or AppVeyor) access via
their own list of authorized applications at:
https://github.com/settings/applications
a) Click the headline of the application in question. b) For the 'php'
organization click 'Grant'.
Non-owner requests can then later be managed at:
https://github.com/organizations/php/settings/oauth_application_policy
Best regards
Tim Düsterhus