The documentation currently suggests creating a github token with permissions to everything, including delete_repo and admin:write:org. This isn't great, could you please find out what is actually necessary and update the docs?

repo:public_repo seems to be enough for public repositories - but my test is from getting updated data with a setup that was originally configured using a token with much greater access.

microsoft/ghcrawler#97 is the upstream ghcrawler issue for this, although obviously they don't know exactly what's being fetched, and we do for Measure, so we should be able to work it out.

We probably also need read:user and user:email for contributor information.

read:org is probably needed for teams, collaborators. There's also an events but don't know yet what that requires.

Seems X-Accepted-OAuth-Scopes response header described in https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/ could be used to narrow down the requirement.