Skip to content

Improve token setup docs, add fine-grained token support, fix host_permissions #311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mgrobaker wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Improve token setup docs, add fine-grained token support, fix host_permissions #311

mgrobaker wants to merge 1 commit into from
+4,105 −4,737

Conversation

@mgrobaker
Copy link
Contributor

@mgrobaker mgrobaker commented Dec 1, 2025
edited
Loading

Summary

This PR improves token documentation, adds fine-grained PAT format support for future compatibility, and fixes a bug preventing API requests in local development.

Changes

1. Added fine-grained token format support in options.html

Updated the token input pattern to accept github_pat_* format:

- pattern="[\da-f]{40}|ghp_\w{36,251}"
+ pattern="[\da-f]{40}|ghp_\w{36,251}|github_pat_\w{82}"

While fine-grained PATs don't work yet (GitHub doesn't offer a Notifications permission), this future-proofs the extension for when GitHub adds that permission.

2. Fixed missing host_permissions in manifest.json

Added "host_permissions": ["https://api.github.com/*"] which is required for Manifest V3 extensions to make cross-origin fetch requests. Without this, locally-loaded extensions fail silently.

3. Improved token setup documentation

  • Step-by-step instructions with direct links to GitHub token creation
  • Clear scope table: notifications (required) vs repo (optional for private repo deep links)
  • Explains why fine-grained PATs don't work yet (GitHub's fine-grained PAT system has no Notifications permission)
  • Security note for users concerned about repo scope

4. Other documentation improvements

  • Consolidated GitHub Enterprise setup with step-by-step instructions
  • Renamed "Permissions" → "Extension Permissions" to distinguish from GitHub token scopes
  • Fixed "Notifications Permission" description (applies to all desktop notifications, not just public repos)
  • Added "Testing Your Setup" section suggesting users watch a busy repo like microsoft/vscode

5. Security fixes

Ran npm audit fix to address vulnerabilities with non-breaking updates.

Test plan

  • Verify classic PAT with notifications scope works (badge count)
  • Verify fine-grained PAT is accepted by input but fails with 403 (expected until GitHub adds Notifications permission)
  • Verify locally-loaded extension makes API requests successfully

🤖 Generated with Claude Code

@mgrobaker @claude
Add token setup docs and fix missing host_permissions
9d36ef6 
- Add GitHub token setup section to README with classic token instructions
- Document why fine-grained PATs don't work yet (no Notifications permission)
- Add missing host_permissions for api.github.com (required for Manifest V3)
- Accept fine-grained token format in options for future compatibility
- Fix npm audit vulnerabilities via non-breaking updates

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@mgrobaker mgrobaker mentioned this pull request Dec 1, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mgrobaker