GitHub

Deepnote allows you to import both public and private repositories from Github. If you want to use a public repository and you do not want to push to it, just open your terminal and use git clone <url> and a https link to clone it to your project.

Linking a repository to your project

If you want to include a private repository or a public one that you want to push to, you can link it. If you do, you and all your collaborators on the project will be able to push and pull to the repository from the terminal without any additional authentication.

To link a repository to your project, open the integrations tab on the left.

How is it done?

Under the hood, we generate a deploy key in the linked repository using the provided OAuth access token. This way, we're able to restrict the key only to the specific repository, so even if you share the project with other users, they won't get access to the other repositories. We do it this way because GitHub doesn't natively support limiting OAuth access token to a single repository.

This is the reason why you might have received a similar email notification:

Defense in depth

One more important reason why we've decided on this design is that we do not want access to all your repositories. We understand that you might have sensitive private repositories, or you are a maintainer of a mission-critical OSS project and you don't feel comfortable sharing access with us. Because of this, we keep the access token only for the duration of the linking request.

We plan to keep this flow client-side only once GitHub adds support for implicit OAuth grant type. Once this is done, we'll never even see the access token with access to your private repositories.

Revoking access

Only you remain in control of your data. When you revoke access to our OAuth app, all deploy keys generated by it will be automatically revoked. However, please keep in mind that all users you trusted with project access might still possess a local copy of your data.