Enable OAuth application allow-list for 'php' GitHub Organization

  117952
June 15, 2022 15:48 tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)
Hi Folks

While authorizing a new OAuth app for my GitHub account I noticed that 
the 'php' organization is one of the few does not have the OAuth 
"allowed application list" feature enabled that requires explicit 
approval by an organization owner before an OAuth app is allowed to 
access private resources within the organization (that includes write 
access to the repositories). While I trust the OAuth applications I 
approve for my repositories, I don't necessarily trust them with the PHP 
organization's resources.

This allow-list was later added by GitHub and I assume the PHP 
organization predates its introduction. It is enabled by default for any 
newly created GitHub Organization.

An organization owner can enable the allow-list here:

https://github.com/organizations/php/settings/oauth_application_policy

and I would recommend doing so.

Documentation is 
https://docs.github.com/en/organizations/restricting-access-to-your-organizations-data/about-oauth-app-access-restrictions

After this allow-list is enabled, an owner can grant the existing 
intentionally added apps (e.g. Travis, Cirrus or AppVeyor) access via 
their own list of authorized applications at:

https://github.com/settings/applications

a) Click the headline of the application in question. b) For the 'php' 
organization click 'Grant'.

Non-owner requests can then later be managed at:

https://github.com/organizations/php/settings/oauth_application_policy

Best regards
Tim Düsterhus