I think the assumption is that the permissions are scoped to the repository you're currently asking questions on, rather than your private repositories as well.
I can see arguments for both sides.
I stopped disabling plugins from "managers" that overreached from their repos only to org wide years ago. While I liked a lot of people I worked with in that institution on a personal level, I was happy not having to work with them as devs, when that institution got closed.
Some nice people behave rather dumb when it comes to tech. And than comes AI and tramples along, because there are no boundaries (See the article what they are writing about /assumed/ security boundaries. They assume things so much, it becomes physical pain to read or listen to them.)
Another rant(ish). You can request a PAT for, say, 30 days for a repo, and if you don't have access, it'll prompt an admin to approve that PAT. Okay, makes sense. But then you can refresh that same token without permission going forward.
Like I said earlier, I can see both points of view, and I think the answer is more granular scoped permissions (eg on a per-workflow basis). Right now the permissions are crude.
Now, presumably GitHub Agentic workflows are the proper 1st party solution for this exact issue, but seems like they still have some work to do, either on the security model, or at least in making it easier to use securely.
More on this here: https://haulos.com/blog/do-not-give-your-agent-github-access...
But that requires:
1. the technical ability for such fine-grained scoping / permissions
2. actually taking the time to think about what you want to achieve with the agent and what the smallest set of permissions / capabilities is for it to achieve it
Regarding 1., I think this will come, we're still in the wild west phase of agent usage. It'll be interesting to see which abstraction(s) will turn out to be the best interface for humans designing agents (minimize friction for finding and defining scope and permissions) and to limit agent capabilities (again finding the best trade-off between level of detail possible for defining capabilities and the ease of use of actually doing it).
Regarding 2., well, that's still the core problem that's always prevented the construction of high quality software, isn't it? Taking the time to properly think it out,and then taking the time to properly implement it. Which goes counter to the "move fast and break things" approach of people throwing agents at everything.
That post had crazy suggestions for harness-level rules or shell scripts or something, when the obvious and correct answer is to run agents using existing OS-level security features that grant appropriate access (if you don’t want an agent accessing ~/ , run it as a user that doesn’t have access!)
The dog analogy is quite apt - it just really wants to access src/, it doesn’t need a reason.
Is there a way to segment access per agentic workflow, so that you can have both habe an agentic workflow that has access to sensitive data and one that has only access to public data? Is the default to set the scope to only the current repository? Does Github appropriately inform about the risk of combining an agentic workflow with access to private repository data?
If the answer to any of those questions is "no", then that's a problem.
(Classic GH Workflows are also riddled with priveledge escalation via PR-triggered workflows, but that's another topic.)
If the author had used the native secrets.GITHUB_TOKEN then yes.
> Does Github appropriately inform about the risk of combining an agentic workflow with access to private repository data?
Not really, but also this highlights a broader issue: GitHub introduced fine-grained access tokens quite a while ago to prevent these situations. However, fine-grained access tokens don't work for a fair segment of the GitHub API for whatever reason. So often you have to use a personal access token to create a GitHub integration, and these have extremely broad permissions. Having said that, that is still the author's choice.
The real solution is a better UI for controlling permissions on a per prompt basis - just as we can select "search the web or not" the solution would be to have a "include my private repo" option that can be trivially toggled.