## Problem The drupal-gitlab skill added in #3588043 suggests adding this: > A personal access token with `api` and `write_repository` scopes, created at `https://git.drupalcode.org/-/user_settings/personal_access_tokens`. But that is not a good idea. This gives agents write permissions to all repositories the contributor has access to. In my case and for every other maintainer, that would grant the agent access to directly commit to main release branches of maintained projects. That's not a good idea. For security, but also for accidents happening. You cannot undo those commits. Also, the access token is very security sensitive and common supply-chain attacks happening collect them to sneak in and spread malicous code. We don't want that to happen. Look at recent problems npm had, we really don't want this to happen with Drupal. ## Suggestion For now, suggest only using read-only mode. That's what I do atm as well. e.g. use scopes: `read_api, read_user, read_repository, read_virtual_registry` Then, be conservative with best practices, develop safe best practices that also enable some write access, proof them working, before documenting them as best practice for every. Personally, I'd love to be able to grant write-access only to issue forks, but atm this is not possible. (I've been considering adding a bot user account to limit the access, but that's not something that works as best practice).