Make access control for Authorized GitHub and OAuth Apps more detailed

[mjmikulski]

Context

Example - I want to use Streamlit (an Authorized OAuth App) to automatically deploy a webpage using (excellent) Streamlit share option.
The source code of the app is located in a public repo, but Streamlit requires also access to private repos.

How it's now

I have only binary decision: I can either decide to authorize the OAuth app or decline.

How it could be

I can decide exactly what permissions I grant (here I know I that Streamlit will not need any access to private repos).

Value added

Such a feature could substantially limit the scope of attacks like this.

[elelay]

Seconded,
in the wake of the 2022-04-15 attack on Heroku and Travis CI I'm reluctant to give read/write access to repositories again.
Example at Circle CI:

Note: CircleCI only asks for permissions that are absolutely necessary. However, CircleCI is constrained by the specific permissions each VCS provider chooses to supply. For example, getting a list of all user’s repos – public and private – from GitHub requires the repo
scope, which is write-level access. GitHub does not provide a read-only permission for listing all a user’s repositories.

[doublerebel]

Related: #31605, #38382