What token permissions are needed to only create a new repository by cloning an existing one?

[piontec]

Select Topic Area

Question

Body

I want to create an automation that creates new repositories in my organization by cloning an existing template repository. What is the minimal set of permissions I have to assign to a PAT to make it work? I don't want the token to include permissions to do any other kind of repo management (no delete!!!) and I want to be able to read the content of the template repositories only.

[mickeygousset]

So I asked Copilot, and this is what was suggested. I haven't tested this yet.

You need to create a Personal Access Token (PAT) with the following minimal set of permissions:

• repo (limited to specific activities):
  • public_repo or repo (for private repos): This permission allows your automation to create new repositories within your organization. Although this permission also includes access to other repository management activities, it's the minimal required for creating repositories.
• read:org: This permission is necessary if the template repository is within an organization and you need to list or access organization repositories.

This setup ensures that the PAT can be used to clone an existing template repository and create a new repository within your organization, without granting permissions to delete repositories or manage other aspects of the organization's repositories beyond what's necessary for the task.

Remember, the repo permission inherently allows for more than just repository creation, including pushing to repositories, but it's the minimal scope required for creating repositories.