From a59863386ccfb016c74708cceaadcebc90a1da62 Mon Sep 17 00:00:00 2001
From: Marcus Goldschmidt <marcus.golds@hotmail.com>
Date: Wed, 20 May 2026 14:45:54 -0400
Subject: [PATCH 1/4] add exclusion group

---
 pkg/connector/repository.go | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/pkg/connector/repository.go b/pkg/connector/repository.go
index 0a712416..d0381592 100644
--- a/pkg/connector/repository.go
+++ b/pkg/connector/repository.go
@@ -126,16 +126,17 @@ func (o *repositoryResourceType) List(ctx context.Context, parentID *v2.Resource
 }
 
 func (o *repositoryResourceType) Entitlements(_ context.Context, resource *v2.Resource, _ resourceSdk.SyncOpAttrs) ([]*v2.Entitlement, *resourceSdk.SyncOpResults, error) {
-	return nil, nil, nil
-}
-
-func (o *repositoryResourceType) StaticEntitlements(_ context.Context, _ resourceSdk.SyncOpAttrs) ([]*v2.Entitlement, *resourceSdk.SyncOpResults, error) {
 	rv := make([]*v2.Entitlement, 0, len(repoAccessLevels))
-	for _, level := range repoAccessLevels {
+	for i, level := range repoAccessLevels {
 		rv = append(rv, entitlement.NewPermissionEntitlement(nil, level,
 			entitlement.WithDisplayName(fmt.Sprintf("Repo %s", titleCase(level))),
 			entitlement.WithDescription(fmt.Sprintf("Access to repository in GitHub as %s", level)),
 			entitlement.WithGrantableTo(resourceTypeUser, resourceTypeTeam),
+			entitlement.WithAnnotation(&v2.EntitlementExclusionGroup{
+				ExclusionGroupId: "repository-permission-" + resource.GetId().GetResource(),
+				Order:            uint32(i),
+				IsDefault:        level == repoPermissionPull,
+			}),
 		))
 	}
 

From b661fadc08ee796e2207f054b2e51f9f25ebf5d7 Mon Sep 17 00:00:00 2001
From: Marcus Goldschmidt <marcus.golds@hotmail.com>
Date: Wed, 20 May 2026 15:22:25 -0400
Subject: [PATCH 2/4] fix default permission to match docs

---
 pkg/connector/repository.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkg/connector/repository.go b/pkg/connector/repository.go
index d0381592..9e238c58 100644
--- a/pkg/connector/repository.go
+++ b/pkg/connector/repository.go
@@ -128,14 +128,16 @@ func (o *repositoryResourceType) List(ctx context.Context, parentID *v2.Resource
 func (o *repositoryResourceType) Entitlements(_ context.Context, resource *v2.Resource, _ resourceSdk.SyncOpAttrs) ([]*v2.Entitlement, *resourceSdk.SyncOpResults, error) {
 	rv := make([]*v2.Entitlement, 0, len(repoAccessLevels))
 	for i, level := range repoAccessLevels {
-		rv = append(rv, entitlement.NewPermissionEntitlement(nil, level,
+		rv = append(rv, entitlement.NewPermissionEntitlement(
+			resource,
+			level,
 			entitlement.WithDisplayName(fmt.Sprintf("Repo %s", titleCase(level))),
 			entitlement.WithDescription(fmt.Sprintf("Access to repository in GitHub as %s", level)),
 			entitlement.WithGrantableTo(resourceTypeUser, resourceTypeTeam),
 			entitlement.WithAnnotation(&v2.EntitlementExclusionGroup{
 				ExclusionGroupId: "repository-permission-" + resource.GetId().GetResource(),
 				Order:            uint32(i),
-				IsDefault:        level == repoPermissionPull,
+				IsDefault:        level == repoPermissionPush,
 			}),
 		))
 	}

From e3bf9d3a5477c806ed43b7c4849290114965f90b Mon Sep 17 00:00:00 2001
From: Marcus Goldschmidt <marcus.golds@hotmail.com>
Date: Thu, 21 May 2026 16:49:37 -0400
Subject: [PATCH 3/4] add scope to resource for EntitlementExclusionGroup

---
 pkg/connector/repository.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/pkg/connector/repository.go b/pkg/connector/repository.go
index 9e238c58..ccd8feec 100644
--- a/pkg/connector/repository.go
+++ b/pkg/connector/repository.go
@@ -126,18 +126,23 @@ func (o *repositoryResourceType) List(ctx context.Context, parentID *v2.Resource
 }
 
 func (o *repositoryResourceType) Entitlements(_ context.Context, resource *v2.Resource, _ resourceSdk.SyncOpAttrs) ([]*v2.Entitlement, *resourceSdk.SyncOpResults, error) {
+	return nil, nil, nil
+}
+
+func (o *repositoryResourceType) StaticEntitlements(_ context.Context, _ resourceSdk.SyncOpAttrs) ([]*v2.Entitlement, *resourceSdk.SyncOpResults, error) {
 	rv := make([]*v2.Entitlement, 0, len(repoAccessLevels))
 	for i, level := range repoAccessLevels {
 		rv = append(rv, entitlement.NewPermissionEntitlement(
-			resource,
+			nil,
 			level,
 			entitlement.WithDisplayName(fmt.Sprintf("Repo %s", titleCase(level))),
 			entitlement.WithDescription(fmt.Sprintf("Access to repository in GitHub as %s", level)),
 			entitlement.WithGrantableTo(resourceTypeUser, resourceTypeTeam),
 			entitlement.WithAnnotation(&v2.EntitlementExclusionGroup{
-				ExclusionGroupId: "repository-permission-" + resource.GetId().GetResource(),
+				ExclusionGroupId: "repository",
 				Order:            uint32(i),
 				IsDefault:        level == repoPermissionPush,
+				ScopeToResource:  true,
 			}),
 		))
 	}

From d31f3f20a28141a969186e061969b0360607c0d6 Mon Sep 17 00:00:00 2001
From: Marcus Goldschmidt <marcus.golds@hotmail.com>
Date: Tue, 2 Jun 2026 10:56:25 -0400
Subject: [PATCH 4/4] remove default from repository

---
 pkg/connector/repository.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/connector/repository.go b/pkg/connector/repository.go
index ccd8feec..9af59678 100644
--- a/pkg/connector/repository.go
+++ b/pkg/connector/repository.go
@@ -141,7 +141,7 @@ func (o *repositoryResourceType) StaticEntitlements(_ context.Context, _ resourc
 			entitlement.WithAnnotation(&v2.EntitlementExclusionGroup{
 				ExclusionGroupId: "repository",
 				Order:            uint32(i),
-				IsDefault:        level == repoPermissionPush,
+				IsDefault:        false,
 				ScopeToResource:  true,
 			}),
 		))