GitHub App Installation - Link to Org instead of Repo


#1

Currently, a GitHub App is created by one user who, during the time of creation, decides which repo they want to provide access to. Let’s say they chose only one repo which repo A. Now, if the repo admin of Repos B, C,D needs that app, they have no way of installing unless they are admins of Repo A or is the GitHub app creator themselves. Additionally if repo A admin, removes the app from their repo, then there is no way how they can add it back. The App becomes “orphaned” and we need to wait for the creator , assuming not on vacation, to add the repo back.
Therefore, is it possible for the app to be installed/associated with an Org by the creator. The repo admins in that org can then decide whether they need that app or not by going to settings -> integration and services -> searching for the app ?… just like how we can add a service, we should be able to add/install an app in the org ( I don’t want the app to go out of my org for other orgs to see them … I want it restricted only within my org but any repo admin in that org can install it as needed without depending on the creator ).

Is this a fair request ?


#2

If you create a GitHub App by going to https://github.com/organizations/:org/settings/apps/new, then the organization will own the App and any Owner of the organization can then install it to any repository in that organization.


#3

@ala-ableton Thanks for your response. Even in that approach, only the creator can install on a repo for the first time. A repo admin , who is not the creator of that app, cannot see that app unless it is installed on atleast one repo that they are an admin on… This was the feature request I was asking.

A user in the org can create an app and need not install it in any repo to start with… repo admins within that org can have visibility on that app( after the creator tells the repo admin about his newly created app or otherwise ) and installs as required.


#4

@seshenoy :wave:,

before I try to address your question, I’d like to make clear some terminology: we distinguish between GitHub App creation and GitHub App installation. What your refer to seems to be an installation, because repositories are chosen at installation time. The creator of a GitHub App is the owner, and as long as the app is visible to the user installing, it could be installed in the user itself, or part of any organization the user may admin, or repositories the user may admin in that organization.

Currently, a GitHub App is created by one user who, during the time of creation, decides which repo they want to provide access to. Let’s say they chose only one repo which repo A.

I’m assuming we are talking about installing the GitHub App in an organization, and the user was either an org administrator, or a repository admin of A.

Now, if the repo admin of Repos B, C,D needs that app, they have no way of installing unless they are admins of Repo A or is the GitHub app creator themselves.

If the user admins those repositories B, C, and D, the user should be able to install the GitHub App on them, this is a feature we enabled recently. It’s being admin of Repo A for that user wouldn’t be a precondition either.

or is the GitHub app creator themselves

I assume you are referring as the user who installed the GitHub App in first place, which could again be either a repo Admin of A or admin or the target Organization.

Additionally if repo A admin, removes the app from their repo, then there is no way how they can add it back.

This shouldn’t be the case, unless the GitHub App requires permissions other than code (for example, a admin of repo A would be able to install it again if the app requires, say, “organization permissions”).

The App becomes “orphaned” and we need to wait for the creator , assuming not on vacation, to add the repo back.

I’m not 100% sure about this orphan situation, but I think the app should be removed in this case.

Therefore, is it possible for the app to be installed/associated with an Org by the creator. The repo admins in that org can then decide whether they need that app or not by going to settings -> integration and services -> searching for the app ?… just like how we can add a service, we should be able to add/install an app in the org ( I don’t want the app to go out of my org for other orgs to see them …

I’m not sure to follow your explanation, but I can say GitHub Apps have a target: this is either a User, or an Organization, so the installation should not transcend those boundaries.

I want it restricted only within my org but any repo admin in that org can install it as needed without depending on the creator ).

This should be the case: depending on the app permissions, repository admins may be able to add/remove repositories they admin.

Is this a fair request ?

It is! and we should supports the functionality you are referring to. If that’s not the case, that’s unexpected.

HTH,
Víctor


#5

@vroldanbet Thanks for your detailed explanation. I agree to be on the same page as that of yours in terms of terminology — creation vs installation. However, I am not sure if I correctly conveyed my situation. Please bear with me as I explain with another example and the conclusion based on your response above.

John Doe is Repo admin of A under Org Contoso, he created a GitHub App and installed it on Repo A. Jane Doe is a Repo admin of A, B and C under Contoso Org. She can now have visibility of that App by going to Repo A settings, and then installing it on B & C.
The above scenario is straightforward and clear…

Let me present another scenario. John Doe creates the GitHub App but does not install it on an Repo( or installs it in Repo A and say an hour later, uninstalls it). Now, Jane Doe has no visibility of that App since it is not installed on any repo in Contoso. She cannot search the app even though she is a repo admin of A,B and C and is in the same Org Contoso. Is my understanding correct ?
If I am correct, then this is what I mean as “Orphaned” app. This forces John Doe to install at least in one repo before other “intersecting” repo admins ( like Jane Doe ) can view it and install it on other repos…

Again, if I am correct, then this is the feature I am requesting ( unless I fully did not understand your answer). John Doe should be able to create an app and install it “in the org” ( not necessarily in a repo to start with) for any other repo admins in that org to “search” and install as required. Here is a small screenshot of what I have in mind ( unless this feature is already there ).

If this option exists, please let me know how I can achieve it without a workaround. If not, I would be happy to know if this feature can be accepted or not …. Thanks again for your time and apologies if you had to repeat yourself !!


#6

hey @seshenoy,

I see what you mean now! I think you are right and you’ve revealed a UX deficiency :wink: .

It’s worth pointing out that I believe you are referring to a private GitHub App: an app that is only installable in the user/org that owns it. In this case, this is a org-owned private GitHub App.

Repo admins for public Apps could install them by going through the landing of the app, through its public URL of the app. However, in the case of a private app, there is no way to access that landing and initiate the installation flow. Only org admins can do this because they can access the Organization Settings. They could install via the Organization settings > GitHub Apps > Install App or configure via Organization Settings > Installed GitHub Apps.

Unfortunately at the moment I cannot offer you a solution: it has to be the org admin that must install it, or make it public and initiate installation via the app landing, which may not be a solution for you in this case.

I’ll open an issue internally for this :smile: ! Thanks for the feedback, and apologies for the friction you are experiencing.

Best,
Víctor


#7

hey again @seshenoy,

one of my team mates clarified the App landing page is available regardless of public/private, so long the user is an org member, so you could use it to initiate the installation flow, you just need to “forge” the url. Just go to https://github.com/apps/<your-app-name> and a repo-admin should see configure.

Nevertheless, I’ve reported the friction back to engineering.

Cheers,
Víctor


#8

Thanks @vroldanbet really appreciate your help. I can see the app from the home URL.

Switching gears : I also created another topic which is again a requirement/feedback that my org would like to see implemented. I have created it here : Check Requested Webhook not triggered for forked to main PRs . Would appreciate your thoughts on that.