Just curious: What additional information do we get for our current project?
I'd prefer to have the "scope" as narrow as possible.
Can we make that a config option?

Could this "scare away" possible Joomla! CMS bug hunters ?

Not sure how a broad scope would scare away bug hunters.

Also, if you want to replace JoomlaCode with this, you'll need private issue tracking, since JC currently offers that.

I'm implementing this as our client issue tracker at work, and the repo scope is required so we can access the private repos that contain the code.

Well I mean, the first time you log in with your GitHub account you have to grant access to the application.
So if a possible bug hunter is been asked to give access to his/her private repositories he/she might get scared (note the smiley in the previous message)

I was about to ask of the use case and I feel quite proud of your implementation.

Would it be OK if we make this a config option ?

Sure, a config option is a reasonable compromise.

As for the implementation, there are some things lacking that I'll need to code up and contribute back, but nothing too major. The biggest hurdle right now is creating and commenting on issues while not having a GitHub account - we require that functionality.