Please recommend (and make possible) to use more restrictive tokens

[Postremus]

The Readme states to generate a legacy token, as far as I understand:

quarkus-ecosystem-ci/README.adoc

Lines 134 to 136 in ca902c6

	You can generate a token by accessing https://github.com/settings/tokens and clicking on `Generate new token`. On the page that comes up,
	provide a name, select `repo` scope and click on `Generate token` at the bottom of the page. You will be prompted with the newly generated token, but be sure to copy it wherever
	it is needed, because you won't be able to see it again.

These tokens can not be restricted to specific repositories.
Also, the "repo" scope includes private repositories.
I find this token to be a bit too broad in scope.

Could you maybe:

• make it possible to use fine grained access tokens?
• And document how these new tokens should be setup. I.e. least amount of scopes required, which repositories it needs to include.

[geoand]

It should be possible to use fine-grained tokens with a write permission on the repo where the tracking issue exists. Do you want to give it a try?

FWIW: I am pretty sure the fine grained tokens did not exist when this repo was first created

[gsmet]

But I think @Postremus is working on a Quarkiverse extension and in this case do we actually need a token?

[geoand]

It still needs a token to update the status of the tracking issue

[Postremus]

@gsmet @geoand

quarkiverse/quarkus-mapstruct

I configured a classic token for that repo, just to get going. But that feels to broadly scoped.
The tracking issue is quarkiverse/quarkiverse#371.
I am not able to create a fine grained token myself. I would require to request access.

However, the tracking issue is in the quarkiverse/quarkiverse repo. And the quarkus-ecosystem ci process is also maintained by quarkiverse.
So.. I believe in that constellation the quarkus core team should create the token.

[geoand]

Oh, now I see. The old tokens let you do this because you created the issue...