Different team repository list for the same API request using a classic PAT for one and a fine-grained PAT for the other

[remi]

Select Topic Area

Question

Body

Context

I have two access tokens for the same user inside an organization:

• CLASSIC_PAT, a classic personal access token with the repo, user and admin:org scopes
• FINE_GRAINED_PAT, a fine-grained personal access token with access to all organization repositories and these permissions:
  • Organization permissions - Read and Write access to members
  • Repository permissions - Read access to metadata
  • Repository permissions - Read and Write access to administration

Organization team endpoint — everything looks good

I’m making this request (I’m using curl instead of gh api to expose which kind of token is used):

$ curl \
  -L "https://api.github.com/organizations/ORG_ID/team/TEAM_ID" \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <CLASSIC_PAT>"

{
  …
  "repos_count": 1,
  …
}

$ curl \
  -L "https://api.github.com/organizations/ORG_ID/team/TEAM_ID" \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <FINE_GRAINED_PAT>"

{
  …
  "repos_count": 1,
  …
}

Organization team repositories endpoint — something seems wrong

But when I make a request to fetch the team repositories:

$ curl \
  -L "https://api.github.com/organizations/ORG_ID/team/TEAM_ID/repos" \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <CLASSIC_PAT>"

[
  List of 1 private repository
]

$ curl \
  -L "https://api.github.com/organizations/ORG_ID/team/TEAM_ID/repos" \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <FINE_GRAINED_PAT>"

[
  List of 1 private repository + ALL public repositories in the organization
]

Conclusion

I would expect the second request to return a list containing the single private repository, not a huge list containing the expected repository and all the public organization repositories.

Am I doing/expecting something wrong here?

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬