We agree with the fact that it is asking for a lot of permissions, and we looked into it many times.
Unfortunately it is the only setting that gives us what we need.
Here is the topic in our forum that talks about this:
This is a pain for us as well… OC only reads the repo, we don’t write anything. The only reason we need those permissions is that we can’t see the private members of a repo if not.
The reason we need to see private members is that unless we do, those users won’t be able to onboard their repos. Their repos won’t show up on the list when they create a collective.
I’m sorry there’s no better option at the moment. We totally acknowledge it’s an issue but we don’t have a way around it at the moment. From our end we only need to read the repo.