Thanks for clarifying, @volmer!
Would it be possible to allow installation tokens to be used to add repositories to installations? Even if that would mean an extra permission type?
I’ve mentioned this to the team and we don’t think we’d consider allowing installations to add repositories to itself. The integration installation can be managed only by an actual user, not by the installation itself. That applies both to the UI and the API. For that reason, you need a token from a user who has the right permissions if you want to manage it on their behalf via the API.
The problem is that on my integration users don’t have access to manage the installation, but I still need to provide them with an option to add repos to the installation.
We’re having a hard time understanding this. The integration must have been installed by someone who has admin access to the installation target, otherwise it couldn’t have been installed. And every installation target must have at least one user with admin access at all times. For personal accounts – it’s the owner of the account. For organizations – it’s an owner (there must always be at least one owner of the organization).
Why are you not asking that user with admin access to give you a token so that you can add more repositories to the integration, or why are you not asking them to do it themselves via the UI?
You said that “my integration users don’t have access to manage the installation”, which I’m interpreting as “none of the users with the permissions to administer the installation are users of the integration”. And that sounds strange, again because the integration must have been installed by one of those users. Even if it was installed by an owner who left the organization, allowing the integration to update itself without the approval of someone who has the permission to manage the installation would be a security concern here. You said “I still need to provide them (users without admin access) with an option to add repos to the installation” – that’s not possible unless you have explicit permission from a user who currently has the ability to admin the integration in the form of a token. So, you need to ask that approval from someone who has the right permissions, i.e. you need to ask them for a token or to do it manually.
But it seems to us that there’s more to your use-case that you perhaps haven’t shared, and for that reason we’re having trouble understanding and offering advice. If you’d like to share more details and clearly explain you use-case – we’d be happy to listen. We’d like to understand why you have the need you described (“I still need to provide them with an option to add repos to the installation”) and it’s not possible for a user with admin access to give you a token to do that or to do it manually.
Would it perhaps be helpful to you if integrations could be installed on a repository by someone who has admin access to that repository, and doesn’t necessarily have admin access to the organization which owns the repository? That way, this user doesn’t need to be able to manage the installation as a whole – they just need to be an admin on repo X and they can then install the integration on that repo X that they do have access to. So you wouldn’t need to ask an owner of the organization to install the integration on repo X as well.
Feel free to share as many details as possible! And thanks again for providing feedback