How to keep a GitHub App private (only owner can install) but available to all of owners orgs


#1

hey guys so I wrote a github app for one of my orgs. and I finally got it working. But I now want to install it in my other organizations and am not able to because it is set to private.

There seems to only be two options “public” or “private”. Private only lets you install it in that particular org. Public means anyone can install it in any org or repo.

It seems the only way for me to be able to install it on my other orgs is to make it public. But my concern is the potential for abuse.

Couldnt someone install it on their repo / org and then just hammer my server with events? I understand the rate limits are per installation so at least those won’t be abused. But it still means my server can easily be overloaded by a malicious party.

Is there a way to make it “public” (to be able to install on my other orgs) but control who can actually install it (to prevent abuse)?

Is there a better solution to this?


Want to automatically create / update issues on an org repo. OAuth or Github App?
#2

You could create the app in each organization if you want to keep it fully private. But, if you make it public, it is still only accessible via an “unguessable” URL, so it isn’t public like the Marketplace, just to those who know the “secret” URL.


#3

Thanks for clarifying. I thought public meant it went into the marketplace and became indexed. Where do I get the install url?


#4

The URL that users would need to guess it https://github.com/apps/your-secret-app-name.

If you’re very worried about other installing your app you might also want to whitelist the organisations that your app works for in your own backend, and just no-op for any requests from unexpected installs. I can’t see any scope for abuse if you do so.