repository admins will be able to install apps in an org-owned repository as long as the github app asks for permissions exclusively scoped to repositories. Therefore, organization permissions would prevent this, as the repo-admin does not necessasily need to be an organization member (we call them “outside collaborators” - a repo admin in this case would be an outside collaborator with admin rights on the repo).
Examples of permissions that would prevent repo-admins from installing the app would be anything that grants access to organization resources. These are:
If we wanted to support both organizational level permissions & also not having them, is there a recommended way of doing that?
Unfortunately there is no option to support having and not having them at the same time. This is a feature enhancement we are considering for the near future: “dynamic/optional permissions”. It would allow developers to indicate optional permissions, which the installer could decide to grant if needed for specific functionality at installation time.
Unfortunately, the only workaround at this point is to create different apps depending on the permissions, which I understand is less than desirable from a branding perspective.
You can also leverage the new “installation request” functionality. If the app has org permissions, repo-admins won’t be able to install it, but could still request installation, which considerably lowers the barrier. Org admins would be notified about the request and could take action in just a few mouse clicks.