scorecard: BUG: githubv4.Query: Resource not accessible by integration in Branch-Protection

Hi. It’s been a while since this issue is open. Is there any support planned for private repos ?

I found the following on the scorecard actions docs.

Private repositories need a PAT to use any Scorecard Action functions … We recommend that you do not use a PAT unless you feel that the risks introduced are outweighed by the functionalities they support.

This implies using scorecard on private repositories is risky by design…

The fine-grained PAT should help aleviate this. But we’ll need to update our instructions at: https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional

It will probably also need read permissions to a few more fields for private repos (I’m guessing actions, issues, pull_requests, contents, but just a guess not exhaustive.

I’m getting the following error at the moment: 2023/07/27 14:52:26 error during command execution: check runtime error: Branch-Protection: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Your token has not been granted the required scopes to execute this query. The ‘allowsDeletions’ field requires one of the following scopes: [‘public_repo’], but your token has only been granted the: [‘’] scopes. Please modify your token’s scopes at: https://github.com/settings/tokens.

I believe this has been resolved in the slack, but the classic PATs need the public_repo scope to read branch protection, which the message is saying.

Note: Hopefully all of this will be a problem of the past soon due to Repository Rules (see: #3326)