Comment by thewisenerd
Comment by thewisenerd 6 days ago
ah; understood. assuming PEM leakage aside
the scope of the exchanged token is the scope of the installation (org / repo); thereby limiting exposure already
to further reduce the scope of exposure, the jwt would've needed to be exchanged with the specific `repositories` (given most installations are org scoped) and `permissions`
https://docs.github.com/en/apps/creating-github-apps/authent...