Permission to add repos to installation


#1

I’m trying to use an installation access token to add repos to it, by using the following endpoint:
https://developer.github.com/v3/integrations/installations/#add-repository-to-installation

It doesn’t work, though, as the endpoint returns 404.

Since to me this sounds like a common use-case for an integration, I wonder if there’s a permission I’m missing (I tried it will all permissions granted, with no success).

Any help would be much appreciated.


#2

Hey @volmer :wave:. I noticed that someone else asked a similar question here and it was answered here. Have you perhaps tried following that advice? If you did and it didn’t work, can you provide the full output of a curl -v request which demonstrates the problem (just mask any tokens in the output) and explain how exactly you created the token you’re using and for which user it was created? That might help us figure out what’s causing trouble for you


#3

Hey @izuzak, thanks for the reply. The answer you mentioned pretty much stated the problem I’m facing:

The problem is that on my integration users don’t have access to manage the installation, but I still need to provide them with an option to add repos to the installation. Would it be possible to allow installation tokens to be used to add repositories to installations? Even if that would mean an extra permission type?


#4

Thanks for clarifying, @volmer!

Would it be possible to allow installation tokens to be used to add repositories to installations? Even if that would mean an extra permission type?

I’ve mentioned this to the team and we don’t think we’d consider allowing installations to add repositories to itself. The integration installation can be managed only by an actual user, not by the installation itself. That applies both to the UI and the API. For that reason, you need a token from a user who has the right permissions if you want to manage it on their behalf via the API.

The problem is that on my integration users don’t have access to manage the installation, but I still need to provide them with an option to add repos to the installation.

We’re having a hard time understanding this. The integration must have been installed by someone who has admin access to the installation target, otherwise it couldn’t have been installed. And every installation target must have at least one user with admin access at all times. For personal accounts – it’s the owner of the account. For organizations – it’s an owner (there must always be at least one owner of the organization).

Why are you not asking that user with admin access to give you a token so that you can add more repositories to the integration, or why are you not asking them to do it themselves via the UI?

You said that “my integration users don’t have access to manage the installation”, which I’m interpreting as “none of the users with the permissions to administer the installation are users of the integration”. And that sounds strange, again because the integration must have been installed by one of those users. Even if it was installed by an owner who left the organization, allowing the integration to update itself without the approval of someone who has the permission to manage the installation would be a security concern here. You said “I still need to provide them (users without admin access) with an option to add repos to the installation” – that’s not possible unless you have explicit permission from a user who currently has the ability to admin the integration in the form of a token. So, you need to ask that approval from someone who has the right permissions, i.e. you need to ask them for a token or to do it manually.

But it seems to us that there’s more to your use-case that you perhaps haven’t shared, and for that reason we’re having trouble understanding and offering advice. If you’d like to share more details and clearly explain you use-case – we’d be happy to listen. We’d like to understand why you have the need you described (“I still need to provide them with an option to add repos to the installation”) and it’s not possible for a user with admin access to give you a token to do that or to do it manually.

Would it perhaps be helpful to you if integrations could be installed on a repository by someone who has admin access to that repository, and doesn’t necessarily have admin access to the organization which owns the repository? That way, this user doesn’t need to be able to manage the installation as a whole – they just need to be an admin on repo X and they can then install the integration on that repo X that they do have access to. So you wouldn’t need to ask an owner of the organization to install the integration on repo X as well.

Feel free to share as many details as possible! And thanks again for providing feedback :bow:


#5

Hi @izuzak, thank you for your reply.

So the integration I’m developing is a service that analyzes pull requests on repositories that are added to the installation. The integration is installed by an organization owner, which initially picks some repositories and adds them to the installation in the GitHub UI.

However for large organizations with hundreds of repositories and thousands of users it is very common for organization members to create repositories and want to have my service running on them. Right now they have to ask the organization owner (or an organization admin) to go to the GitHub UI and add the desired repository to the installation. This happens almost daily, it is a pain, and that’s why I was trying to figure out a way to allow any organization member to add repositories to the installation.

Sure, I could ask the organization owner for a personal token and use it to make that API call, but that’s not ideal, right? But if it’s really the only way then I can do it.

Would it perhaps be helpful to you if integrations could be installed on a repository by someone who has admin access to that repository, and doesn’t necessarily have admin access to the organization which owns the repository? That way, this user doesn’t need to be able to manage the installation as a whole – they just need to be an admin on repo X and they can then install the integration on that repo X that they do have access to. So you wouldn’t need to ask an owner of the organization to install the integration on repo X as well.

Yes, that would be good! At least organization owners would no longer be our bottleneck. :pray:


#6

Thanks again for your feedback, @volmer – that’s super helpful!

Sure, I could ask the organization owner for a personal token and use it to make that API call, but that’s not ideal, right?

Indeed, that’s not a very elegant approach. But an even less ideal situation would probably be one where users who don’t have the right permission (i.e. don’t have admin rights on the repository either as an organization owner or as an admin on that specific repository) would be able to install the integration on a repository. It doesn’t seem that this is what you’re necessarily looking for, as far as I understand your most recent reply (but it did seem that way at the start of this thread).

Yes, that would be good! At least organization owners would no longer be our bottleneck.

Great – I’ll pass this along to the team! Just one more question here: would the ability to install the integration on a repository via the UI be enough for you in this case (if a repository admin can do it, not necessarily an org owner), or would you still prefer to be able to add the integration to the repository via an API call (an API call on behalf of the repository admin)?


#7

would the ability to install the integration on a repository via the UI be enough for you in this case (if a repository admin can do it, not necessarily an org owner), or would you still prefer to be able to add the integration to the repository via an API call (an API call on behalf of the repository admin)?

Ideally both. Having it in the UI would be awesome because I wouldn’t even have to implement anything on my end, and I would just have to instruct repository admins to use the GitHub’s interface to add the repo to the installation. But I also feel that this would cause an inconsistency between the the API and the UI, don’t you think?


#8

But I also feel that this would cause an inconsistency between the the API and the UI, don’t you think?

Thanks, @volmer. I was asking what you would prefer for your specific use-case: would you prefer building your own UI and driving it via an API on our side, or would you prefer pointing users to GitHub’s UI so that they can do it manually. Knowing what you’d prefer for your own use-case helps use prioritize work so that we can offer the options for your use-case sooner, rather that focusing on something that you wouldn’t prefer. It wasn’t a general either/or question. I hope that clarifies my question, and thanks again for answering.


#9

Oh, alright! I understand now, cool! Thank you so much for all the assistance on this, really appreciated.


#10

@volmer we have an update on this - now any user who can admin a repository can install an integration via the web UI. This won’t be available to all organization members, only users with admin access to the repositories they want to install on. We’ll follow up with API functionality for managing the repositories on existing installations soon. Hope that helps!


#11

That’s great news, @keavy ! Thank you so much :smile: