Improving the permissions workflow for private GitHub apps


#1

We’ve been using a GitHub app in the eslint organization to perform some automated tasks for the last few weeks, and it’s been working well.

A couple times, we’ve added features to the app which require the app to have additional permissions. When this happens, I have to take the following steps:

  1. I update the permissions on the app settings page. This causes an automated email to get sent to all owners of the organization, notifying them that the app is requesting updated permissions.
  2. On a separate page, I update the app installation to accept the new permissions.

The main issue with this workflow is that it sends an email to all of the organization owners, when no action is actually needed from them (since I can just accept the updated permissions myself). This is mildly annoying for the other organization owners. It might also be confusing for them because the the link in the email goes to a 404 page after I accept the permissions.

I understand why step 2 is necessary for public apps (if the app is installed on a repo that isn’t controlled by the app maintainer, the repo owner might not want to grant the updated permissions to the app). However, I’m confused about why the step 2 is necessary for private apps. I think only organization owners have access to perform step 1, and an organization owner would always have the ability to perform step 2 for private apps. It seems likely to me that anyone who performs step 1 for a private app would also intend to perform step 2, since step 2 would be necessary for the changes to have any effect.

Would it be possible to improve the workflow for this case, so that step 2 (and the email notification) are no longer needed for private apps?


#2

Thanks for the feedback @not-an-aardvark. I think it’s reasonable to have a modified experience for a private app. We don’t have any immediate plans in this area, but we’ll track the request internally and update here if we have any news.