Hey @Oleksiy_Pikalo
While read_user and read_api could get us pretty far for being able to handle authentication, create repositories, read information about pull requests… there’s no API scope that lets us decorate pull requests with information (leave a comment) except for api.
While project access tokens (or group access tokens) could be a solution for limiting access,
- They aren’t available in the free tier
- They would require per-project configuration
(While we have no plans today, nor have they been tested, I am curious if those limitations would be blocking for you).
I imagine we recommend the use of technical users because they are easy to quickly disable in the event of an incident, and can be more tightly controlled. People typically also don’t want their own user to be tied to PR comments, and the integration shouldn’t fail if somebody leaves the company.
I hope this helps a little in understanding why we require the permission scope we do.