docs: remove chat:write.public scope for best practice

mwbrooks · mwbrooks · commit 36e3a874d5dd · 2025-11-28T10:41:22.000-08:00
diff --git a/docs/guides/using-environment-variables-with-the-slack-cli.md b/docs/guides/using-environment-variables-with-the-slack-cli.md
@@ -22,7 +22,7 @@ MY_ENV_VAR=asdf1234
 
 Note that changes to your `.env` file will be reflected when you restart your local development server.
 
-While the `.env` file should **never** be committed to source control for security reasons, you can see a sample `.env` file we've included in the [Timesheet approval sample app](https://github.com/slack-samples/deno-timesheet-approval) and the [Incident management sample app](https://github.com/slack-samples/deno-incident-management). 
+While the `.env` file should **never** be committed to source control for security reasons, you can see a sample `.env` file we've included in the [Timesheet approval sample app](https://github.com/slack-samples/deno-timesheet-approval) and the [Incident management sample app](https://github.com/slack-samples/deno-incident-management).
 
 ### Storing deployed environment variables {#deployed-env-vars}
 
@@ -40,7 +40,7 @@ If your token contains non-alphanumeric characters, wrap it in quotes like this:
 slack env add SLACK_API_URL "https://dev<yournumber>.slack.com/api/"
 ```
 
-Your environment variables are always encrypted before being stored on our servers and will be automatically decrypted when you use them&mdash;including when listing environment variables with `slack env list`. 
+Your environment variables are always encrypted before being stored on our servers and will be automatically decrypted when you use them&mdash;including when listing environment variables with `slack env list`.
 
 ### Access variables from within function {#access-function}
 
@@ -108,7 +108,7 @@ export default Manifest({
   outgoingDomains: [
     Deno.env.get("CHATBOT_API_URL")!,
   ],
-  botScopes: ["commands", "chat:write", "chat:write.public"],
+  botScopes: ["commands", "chat:write"],
 });
 ```
 
@@ -134,7 +134,7 @@ With this addition, running `slack deploy` without defining a value for `CHATBOT
 
 ## Enabling debug mode {#debug}
 
-The included environment variable `SLACK_DEBUG` can enable a basic debug mode. Set `SLACK_DEBUG` to `true` to have all function-related payloads logged. 
+The included environment variable `SLACK_DEBUG` can enable a basic debug mode. Set `SLACK_DEBUG` to `true` to have all function-related payloads logged.
 
 For local apps, add the following to your `.env` file:
 
diff --git a/internal/goutils/strings_test.go b/internal/goutils/strings_test.go
@@ -326,8 +326,8 @@ func Test_RedactPII(t *testing.T) {
 		},
 		{
 			name:     "Escape sensitive data from mock HTTP response",
-			text:     `{"ok":true,"app_id":"A123","credentials":{"client_id":"123","client_secret":"123","verification_token":"123","signing_secret":"123"},"oauth_authorize_url":"123":\/\/slack.com\/oauth\/v2\/authorize?client_id=123&scope=commands,chat:write,chat:write.public"}`,
-			expected: `{"ok":true,"app_id":"A123","credentials":{"client_id":"...","client_secret":"...","verification_token":"...","signing_secret":"..."},"oauth_authorize_url":"...":\/\/slack.com\/oauth\/v2\/authorize?client_id=...&scope=commands,chat:write,chat:write.public"}`,
+			text:     `{"ok":true,"app_id":"A123","credentials":{"client_id":"123","client_secret":"123","verification_token":"123","signing_secret":"123"},"oauth_authorize_url":"123":\/\/slack.com\/oauth\/v2\/authorize?client_id=123&scope=commands,chat:write"}`,
+			expected: `{"ok":true,"app_id":"A123","credentials":{"client_id":"...","client_secret":"...","verification_token":"...","signing_secret":"..."},"oauth_authorize_url":"...":\/\/slack.com\/oauth\/v2\/authorize?client_id=...&scope=commands,chat:write"}`,
 		},
 		{
 			name:     "Escape from `Command` for external-auth add-secret",
diff --git a/test/testdata/manifest-sdk-app-name.ts b/test/testdata/manifest-sdk-app-name.ts
@@ -18,5 +18,5 @@ export default Manifest({
   "icon": "assets/icon.png",
   "functions": [ReverseFunction],
   "outgoingDomains": [],
-  "botScopes": ["commands", "chat:write", "chat:write.public"],
+  "botScopes": ["commands", "chat:write"],
 });
diff --git a/test/testdata/manifest-sdk.ts b/test/testdata/manifest-sdk.ts
@@ -18,5 +18,5 @@ export default Manifest({
   "icon": "assets/icon.png",
   "functions": [ReverseFunction],
   "outgoingDomains": [],
-  "botScopes": ["commands", "chat:write", "chat:write.public"],
+  "botScopes": ["commands", "chat:write"],
 });

Original file line number	Diff line number	Diff line change
`@@ -326,8 +326,8 @@ func Test_RedactPII(t *testing.T) {`
`326`	`326`	`},`
`327`	`327`	`{`
`328`	`328`	`name: "Escape sensitive data from mock HTTP response",`
`329`		- text: `{"ok":true,"app_id":"A123","credentials":{"client_id":"123","client_secret":"123","verification_token":"123","signing_secret":"123"},"oauth_authorize_url":"123":\/\/slack.com\/oauth\/v2\/authorize?client_id=123&scope=commands,chat:write,chat:write.public"}`,
`330`		- expected: `{"ok":true,"app_id":"A123","credentials":{"client_id":"...","client_secret":"...","verification_token":"...","signing_secret":"..."},"oauth_authorize_url":"...":\/\/slack.com\/oauth\/v2\/authorize?client_id=...&scope=commands,chat:write,chat:write.public"}`,
	`329`	+ text: `{"ok":true,"app_id":"A123","credentials":{"client_id":"123","client_secret":"123","verification_token":"123","signing_secret":"123"},"oauth_authorize_url":"123":\/\/slack.com\/oauth\/v2\/authorize?client_id=123&scope=commands,chat:write"}`,
	`330`	+ expected: `{"ok":true,"app_id":"A123","credentials":{"client_id":"...","client_secret":"...","verification_token":"...","signing_secret":"..."},"oauth_authorize_url":"...":\/\/slack.com\/oauth\/v2\/authorize?client_id=...&scope=commands,chat:write"}`,
`331`	`331`	`},`
`332`	`332`	`{`
`333`	`333`	name: "Escape from `Command` for external-auth add-secret",