Our use of GitHub authentication
To access and analyze GitHub repositories, Tidelift uses both a user's individual identity on GitHub as well as a GitHub application for access.
Authenticating as a user with GitHub
Authenticating as a user at Tidelift.com uses the familiar GitHub OAuth process and requires that you provide us (read-only) access to profile information including your email address as well as information about the organizations and teams that you have access to. Once logged into Tidelift, you can access all the functionality of the lifter dashboard. We encourage you to configure 2-factor authentication on your GitHub account if you are authenticating through Tidelift, so your lifter dashboard doesn't get tampered with.
Installing the Tidelift GitHub Application
You can install the Tidelift GitHub application for your organization. This will allow us to access your repositories manifest files in order to run regular checks of your dependencies for security vulnerabilities, licensing issues, and more.
This access requires us to have read access to your code, the ability to see members of the organization, and the ability to read and write commit statuses. You'll be able to select which repositories we can access, so you can easily exclude any projects that you aren't lifting.
- We use read access to your repositories to access the dependency manifests for analysis.
- We use read access to the members and metadata of the organization to determine which users should have access to your organization in Tidelift
- We use read and write access to commit statuses so that we can use GitHub status checks to let you know about the state of the Tidelift dependency analysis on your pull requests. You can then (optionally) make those checks required to pass to be able to merge your pull request.
Please note that you're able to restrict this access to either all repositories in an organization or just to selected repositories.