You may have used AppVeyor or Travis CI to do CI for your GitHub or BitBucket project. What you only need to do is to write a appveyor.yml or .travis.yml, and then do OAuth to grant permission for AppVeyor or Travis CI. After that, the CI service will do everything for you. But how is the CI service working behind? Many Microsoft projects have used AppVeyor as CI Service on Windows platform. So let me use AppVeyor CI as example to introduce it. (Note: In this post, we target on public GitHub repo since private GitBub repo has a little difference.)
Why does AppVeyor need those permissions? Let's put emphasis on the two permissions:
1. Admin access for Repository webhooks and serviecs
This is to setup GitHub Webhook for AppVeyor. Everytime a pull request or push comes in the Github repo, Github will send event message to AppVeyor through webhook. AppVeyor will then trigger the CI.
1. The workflow is as below
2. Admin access for Repository webhooks and serviecs is one-off permission needed. AppVeyor no longer needs the permission after webhook is set up.
3. Write access for Commit statuses is optional if you does not need AppVeyor to update the commit stauts