Getting contents of a single file from an org members private fork


#1

I am creating an App that uses an installation token. The app is private to an organization.

I’m trying to get the contents of a single file during a pull request. I am able to successfully retrieve the file if it’s owned by the organization directly using this endpoint - https://developer.github.com/v3/repos/contents/#get-contents.

How can I get the file contents if it’s coming from a fork of a private repo of a member in the same organization? It currently gives me a 404. Am I missing an App permission?


#2

UPDATE: I was able to get my stuff working by using the head sha as the ref against the organization owned repo (instead of trying to fetch directly from the members private forked repo) which is a better solution anyways.

I guess the only question is: Should an installation token from an app installed on an organization be able to directly access members private repos that were forked from that organization? Currently it cannot which may be intentional which I think is fine. The only thing that’s maybe inconsistent is using a personal access token for a member in an organization also allows access to any other members private repos also forked from same org.

But either way, I can do what I need.


#3

Thanks for the request and for following up your solution. This is in fact the intended behavior with GitHub Apps due to the fact that they’re installed on specific repositories in a target organization. A forked repo doesn’t belong to that target installation, so that’s not possible.


Organization Integration on all Forks
#5

So this makes creating CI-like GitHub apps impossible right? In a CI service, you want to be able to test the commit of an incoming PR. This is currently impossible. So an organization looking to use a GitHub app in a private repo has to ask every member to install the app in their private namespace and allow access to every fork they are working on. Is that correct?

From your message I assume this is by design. So does that mean that the only way to allow this is to use OAuth apps?