dockerhub automated builds - broad github permissions required?

Question

I'm looking to test automated container builds on Dockerhub, and I see that I need to link my github account to my hub.docker.account.
However, when I click on the 'connect' button, I'm taken to a github authorization page that says:

Docker Hub Builder by docker wants to access your larryms account

Repositories
Public and private
This application will be able to read and write all public and private repository data. 
This includes the following:

- Code
- Issues
- Pull requests
- Wikis
- Settings
- Webhooks and services
- Deploy keys
- Collaboration invites

This seems far too permissive and overly broad; if I'm understanding it correctly, I need to grant Docker Hub Builder read & write access to all my github repositories, both public and private.

Is there any way to do this using the principle of least privilege, eg only granting Docker Hub Builder necessary rights (hopefully read only) only to specific github repos?

Answer 1

OAuth scopes on GitHub are indeed wide (see https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes, where you cannot grant read access without granting write access as well). However, the scopes are applied together with the actual permissions the user has on the repo in question. That is, if the user has only read access to repo X, and the user granted an oauth token with read & write scope to dockerhub, dockerhub would only be able to read from repo X on behalf of this user. If the user gets admin access to repo X later on, the already granted access token will not allow admin access, as the scope of the token allows read & write access only.

With this in mind, you can create a dedicated user for dockerhub in your github org, and grant this user read access to relevant repos. Then connect dockerhub to your github account with this user, granting just read access to the selected repos.