The key idea there is to build your own custom proxy for the GitHub API, then issue tokens for it which are actually encrypted bundles of the full-permission API token plus a set of rules about what the proxy should allow it to do - only allow a GET to paths that match "/gists/.*" for example.
It's somewhat similar to Biscuits storing a Datalog program "to evaluate whether a token allows an operation."
The key idea there is to build your own custom proxy for the GitHub API, then issue tokens for it which are actually encrypted bundles of the full-permission API token plus a set of rules about what the proxy should allow it to do - only allow a GET to paths that match "/gists/.*" for example.
It's somewhat similar to Biscuits storing a Datalog program "to evaluate whether a token allows an operation."