Revoke all scopes on `gh auth refresh` without `--scope`

[scarf005]

Describe the feature or problem you’d like to solve

HTTP 403: Must have admin rights to Repository. (https://api.github.com/repos/scarf005/pyvips)
This API operation needs the "delete_repo" scope. To request it, run:  gh auth refresh -h github.com -s delete_repo

after repo deletion, I wanted to revoke delete_repo scope given with gh auth refresh, since I did not want to accidently delete repos.

The --scopes flag accepts a comma separated list of scopes you want your gh credentials to have. If absent, this command ensures that gh has access to a minimum set of scopes.

I ran gh auth refresh again as the description in cli doc said.

but to my surprise cli still had access to repository deletion. as said in #5083, current way to revoke github cli's scope is to completely de-authorize github cli app. this is very inconvenient.

Proposed solution

gh repo request should follow the documentation and revoke access to the point of minimum set of scopes.
in this example, Delete Repositories access should be revoked.

Discussed in #5083

^{Originally posted by pritambera2000 January 23, 2022}
How to revoke scopes on gh auth refresh . After granting a scope can't revoke it from cli

[vilmibm]

Definitely agreed that there should be the ability to remove scopes via this command.

Let's use this issue to cover the addition of two new flags:

# Remove a single scope
gh auth refresh --remove-scope '<scope>'

# Reset to gh's default scopes
gh auth refresh --reset-scopes

[n1lesh]

@mislav @vilmibm I would like to work on it, if it's still open.

Also, would it make sense to rather have a --remove-scopes to allow removing multiple scopes at once?

[samcoe]

@n1lesh There are no open PRs for this feature so please feel free to work on it. The --remove-scope flag should allow for multiple values to be specified. We do not want to add both --remove-scope and --remove-scopes flags, one is sufficient.

[n1lesh]

@samcoe @vilmibm @mislav Is there an API to revoke all or at least remove a set of scopes? The current refresh flow with only minimum scopes still retains the previously added additional scopes (for eg read:public_key).

I understand that scope can be revoked under https://github.com/settings/connections/applications/* but is there a way to actually clear out scopes through the API?

[samcoe]

@n1lesh There is no endpoint for revoking scopes. The auth refresh works by creating a token with the given scopes. This feature should not need to modify that behavior at all, just needs to make sure the correct scopes are passed through to the current functionality.

[Shion1305]

I find the 'gh auth refresh --remove-scope' command quite appealing. Would it be alright if I tackled this in a PR?
I've mostly figured out the tasks involved.

[n1lesh]

@samcoe I think I was confused with the webflow showing Existing access scopes even though the access token doesn't have anything else except for the minimum required scopes after reset.

While the functionality works as expected after the change, would it be a good UX to still have existing access scopes shown
in the browser flow but the resulting access token doesn't really have it?