For Github integration, why are both Github App and Github OAuth required?

Before submitting a topic, please confirm the following

I have searched for similar issues before creating this topic.
I have verified that my repository is using the Codecov GitHub app, if using GitHub
I have validated my codecov.yaml configuration file.
I have filled out the below sections to the best of my ability.

Description

My goal is to limit Codecov’s access to 7 private repos for 10 users in one private organization that has many more repos and users. Configuring the Codecov Github App allows this level of granularity - I can limit to 10 users and specify the 7 repos to grant access.

However, the additional requirement to grant Github OAuth full permissions to all repos and users in the private organization does not allow the desired permissions granularity. If access has already been granted via Github App, why is Github OAuth also needed?

Expected Results

Once authorizing Codecov via the Github App, no further authorization is needed.

Actual Results

Two different Github authorizations are needed - one each for the Github App and for Github OAuth.

Additional Information

I’ve done my best to understand Connecting Codecov to Github and Differences between GitHub Apps and OAuth Apps - GitHub Docs, but it’s still unclear to me why Codecov cannot just use Github App permissions, rather than also needing Github OAuth access.

I think that this Github document, Identifying and authorizing users for GitHub Apps - GitHub Docs, explains how the Github App alone can be used to authenticate users to Codecov, without needing to additionally use Github OAuth. And this guide explains how to migrate from using an OAuth app to a Github app, Migrating OAuth Apps to GitHub Apps - GitHub Docs. Is there some technical / business blocker preventing Codecov from making this migration?

UPDATE: this comment is now outdated. See next comment.

Actually, Identifying and authorizing users for GitHub Apps - GitHub Docs seems to be what Codecov is using to do user-to-service authorization. This requires using an OAuth app for a user, and the permissions scopes allowed for OAuth apps cannot be more fine grained than what is being shown, per Scopes for OAuth Apps - GitHub Docs.

So, my concerns about limiting Github permissions seems to be an issue with how the Github App user-to-service flow works, which is a Github problem, not a Codecov problem.

No, looking at another Github app login flow, it does appear that Codecov could only use Github App permissions without needing the additional OAuth App permissions. When trying the Github App Sonarcloud, the same github.com/oauth/login/authorize login url is used as in the Codecov login flow. But the permissions requested are different, and the Sonarcloud login flow requests more fine grained Github App permissions, while Codecov requests the more expansive OAuth flow permissions. See the difference in the following screenshots, when trying to login to Codecov vs Sonarcloud via Github:

I can also see in my Github settings > applications that Codecov is authorized as an “Authorized OAuth App”, while Sonarcloud is an “Authorized GitHub App”.

Is there some technical reason why Codecov isn’t using the GitHub App permisions for login? Does it have to do something with charging by user? Or has it just not been implemented yet?

@srice_hopper, just confirming that this was handled offline. We are currently unable to migrate over fully to a GitHub App.

Yes, it was communicated to me offline in a demo that at this time, the customer demand is not high enough to justify the LOE required for Codecov to migrate fully to using Github App permissions. Thanks.

Reporting in as another user at a large enterprise where this is a serious limitation. We’re currently sticking to using the Codecov GitHub bot, which gets access via the GitHub App flow and do not allow the OAuth integration which grants complete access to all user repositories.

Considering past incidents at codecov, we consider it prudent to limit the surface area to the bare minimum, and Codecov doesn’t seem to be making use of GitHub well enough.