GitHub has an API endpoint called 'tree-list' that is part of the presentation layer and is available to all users. This endpoint lists all files in a repository - even private repos (as long as the user is logged in). It's used by the file finder, which is presented when you are viewing a repo and hit the 't' hotkey.
https://github.com/OWNER/REPO/tree-list/COMMIT_SHA
https://github.com/sullivanmatt/octotree/tree-list/HEAD
{"paths":[".gitignore","LICENSE","README.md","dist/octotree.safariextz","dist/octotree.xpi","docs/chrome.png","docs/firefox.png","docs/safari.png","docs/token.png","gulpfile.js","package.json","src/Info.plist","src/firefox.js","src/icons/icon128.png","src/icons/icon16.png","src/icons/icon19.png","src/icons/icon48.png","src/icons/icon64.png","src/inject.css","src/inject.js","src/lib/css/jstree.css","src/lib/js/base64.js","src/lib/js/github.js","src/lib/js/jquery.js","src/lib/js/jquery.pjax.js","src/lib/js/jstree.js","src/lib/js/underscore.js","src/manifest.json","src/package.json"]}
The data it returns could definitely be used to build the file paths list and completely remove the need for granting a token to work with private repos. I've attempted to do this myself, but my JavaScript skill set is simply not strong enough to be able to contribute the required code. Here's a rough start:
# inject.js
function fetchData(repo, done) {
// Load the branch info from the page data
var sha = document.getElementById("js-command-bar-field").getAttribute('data-sha')
if (!sha) {
sha = "HEAD"
}
// Get the data
$.getJSON( "https://github.com/" + repo.username + "/" + repo.reponame + "/tree-list/" + sha, function( data ) {
$.each( data.paths, function( key, val ) {
... build the path information ...
}
}