They look good, but the access permissions are excessive - and the policy associated with them is not really acceptable given the permissions being asked for.
And the old webhook-based integration no longer seems to be available for new repo notifications.