When adding a GitHub account to Sourcetree for Mac 3.0.1 (205), using OAuth and HTTPS, only public read permissions are requested:
Consequently, no private repos are accessible and no write permissions are given. I found no way of elevating the requested permissions either through Sourcetree or through GitHub settings.
I found a workaround by accident: after the Sourcetree app is authorized, an entry is created in Keychain Access:
Kind: application password
Where: SourceTree (OAuth) for GitHub
Deleting this entry, relaunching Sourcetree and clicking on "Remote" tab gives this info:
After clicking on "Sign In", GitHub finally presents the additional permissions prompt:
Shouldn't Sourcetree ask for all of these permissions when adding the account using the normal workflow?
Still when using the workaround I proposed, I am unable to access private repos of some organizations I am a part of, rather I need to request access individually for SourcetreeForMac from here https://github.com/settings/applications like this:
Searching around, I found another workaround, which finally gave me the full access:
1) Go to https://github.com/settings/tokens
2) Click "Generate new token"
3) Input token description e.g. "Sourcetree Mac Token", select "repo" checkbox, and click "Generate token"
4) Copy the generated token
5) Add your GitHub account to Sourcetree, but now rather than using OAuth, select Basic authentication
6) Input your username
7) Paste the generated token as password
Now you should have a fully functional connection between your GitHub account and Sourcetree, including access to all private repos. If you encounter any functionality that is not working (I haven't), try regenerating the token with more permissions - I intentionally selected only "repo", as that is all I need at this moment.
Hope this is helpful, until there is a fix from Sourcetree team. As mentioned above, the issue has already been filed here https://jira.atlassian.com/browse/SRCTREE-6322
Sourcetree's OAuth permissions for all services (not just GitHub) are intentionally narrowly scoped. We don't want authorization for actions we aren't using in the app. The request for private repos is a good one and should be filed in our public trackers (Mac and Windows) Cheers!
Senior Mac Developer, Sourcetree
Thank you for answering. I do appreciate the privacy-conscious approach that the Source Tree team is taking. Still, the basic set of public read permissions requested does not even allow for write access to public repos, so I am unable to push any changes. It seems that someone has already filed an issue regarding this behavior:
Hope this gets sorted out soon.
That's ridiculous. I can't access my private repository because of the "actions you are not using in the app"? It seems you like to make source tree unusable.
To continue like that it's better to stop developing it. You need to decide if you want to create a useful tool or some sort of a gimmick.
First of all thanks for the workaround. I was able to access my private repositories with your approach.
I think this problem is bigger than it seems, because if you're new to GitHub (or any other alternatives) and SourceTree, you may end up losing your access to your private repositories. The reasons why so many people are not facing this problem are either this problem is something new (maybe related with 3.0.1) or they have already given the permission to SourceTree for full access. I was revoking my Oauth App tokens and when I re-connect my GitHub account with SourceTree, I face this one.
Hope you guys figure this out soon.
Thank you so much for the solution. This worked for my organizations private repo. Strangely, none of my colleagues faced the issue except me. We have 2FA enabled and only for me it was causing issue.
Just to mention, am in Mojave while all my colleagues are still in High Sierra but don't think this should be an issue.
This works properly in the Windows version of SourceTree but (still, one year later) is not fixed in the Mac version as of 4.0.232. There were a handful of other bugs in the authorization dialog too (such as, can't switch from Basic to OAuth on an existing account). Anyone driving this bus?
The workaround at the top with deleting the keychain entry does work, so some part of the SourceTree code has the right implementation for requesting permissions. So the response from the Atlassian Team member to the effect of "we do this on purpose" can be ignored.
A vulnerability has been published today in regards to Sourcetree for Windows. The goal of this article is to give you a summary of information we have gathered from Atlassian Community as a st...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event