Problem Installing Repo on Installation - Resource not accessible by integration


#1

I know there are posts on here already about this but I must be going crazy. I get an installation access token and create a new client with it and then try to hit the API endpoint. Here is the request debug from octokit:

I, [2018-08-18T01:15:57.818874 #26]  INFO -- request: POST https://api.github.com/installations/<install id>/access_tokens
D, [2018-08-18T01:15:57.818998 #26] DEBUG -- request: Accept: "application/vnd.github.machine-man-preview+json"
User-Agent: "Octokit Ruby Gem 4.9.0"
Content-Type: "application/json"
Authorization: "Bearer <valid bearer token>"
I, [2018-08-18T01:15:57.953882 #26]  INFO -- response: Status 201
D, [2018-08-18T01:15:57.954061 #26] DEBUG -- response: server: "GitHub.com"
date: "Sat, 18 Aug 2018 01:15:55 GMT"
content-type: "application/json; charset=utf-8"
content-length: "91"
connection: "close"
status: "201 Created"
cache-control: "public, max-age=60, s-maxage=60"
vary: "Accept"
etag: "\"729b14bee734f26fba2e1a463ec64459\""
x-github-media-type: "github.machine-man-preview; format=json"
access-control-expose-headers: "ETag, Link, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval"
access-control-allow-origin: "*"
strict-transport-security: "max-age=31536000; includeSubdomains; preload"
x-frame-options: "deny"
x-content-type-options: "nosniff"
x-xss-protection: "1; mode=block"
referrer-policy: "origin-when-cross-origin, strict-origin-when-cross-origin"
content-security-policy: "default-src 'none'"
x-runtime-rack: "0.027255"
x-github-request-id: "5FF3:21C6:5108FA:B029A1:5B77734B"
WARNING: The preview version of the Integrations API is not yet suitable for production use.
You can avoid this message by supplying an appropriate media type in the 'Accept' request
header.

Which gives me a valid client that I can use for other actions but when it comes to adding a repo to the installation…

I, [2018-08-18T01:15:57.956959 #26]  INFO -- request: PUT https://api.github.com/user/installations/<install id>/repositories/<repo id>
D, [2018-08-18T01:15:57.957106 #26] DEBUG -- request: Accept: "application/vnd.github.machine-man-preview+json"
User-Agent: "Octokit Ruby Gem 4.9.0"
Content-Type: "application/json"
Authorization: "Bearer <installation auth token>"
I, [2018-08-18T01:15:58.116743 #26]  INFO -- response: Status 403
D, [2018-08-18T01:15:58.117029 #26] DEBUG -- response: server: "GitHub.com"
date: "Sat, 18 Aug 2018 01:15:56 GMT"
content-type: "application/json; charset=utf-8"
transfer-encoding: "chunked"
connection: "close"
status: "403 Forbidden"
x-ratelimit-limit: "5000"
x-ratelimit-remaining: "4999"
x-ratelimit-reset: "1534558556"
x-github-media-type: "github.machine-man-preview; format=json"
access-control-expose-headers: "ETag, Link, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval"
access-control-allow-origin: "*"
strict-transport-security: "max-age=31536000; includeSubdomains; preload"
x-frame-options: "deny"
x-content-type-options: "nosniff"
x-xss-protection: "1; mode=block"
referrer-policy: "origin-when-cross-origin, strict-origin-when-cross-origin"
content-security-policy: "default-src 'none'"
x-runtime-rack: "0.046320"
x-github-request-id: "5FF4:21C7:6BDD36:D3A342:5B77734B"

Octokit::Forbidden (PUT https://api.github.com/user/installations/<install id>/repositories/<repo id>: 403 - Resource not accessible by integration // See: https://developer.github.com/v3/apps/installations/#add-repository-to-installation):

The documentation says

You must use an installation access token to access this endpoint.

The repo is a public one of mine and the install is on my account so is the documentation wrong or am I crazy?


#2

That line in the docs looks wrong to me. Critically, you’ll notice that there’s no (i) icon next to the heading for that endpoint - that means that that endpoint isn’t enabled for integrations (which makes sense - the user selecting which repos to add an app on in the GitHub UI would be meaningless for apps that had permission to access that endpoint.)


#3

Boy that is not what I thought that i icon meant… not to nitpick too much but yeah that seems like it should be a different icon from a usability standpoint.

I still can’t seem to get that endpoint to work even with a user auth either. Basically I would prefer the user stay on our site rather than have to switch in between github and the site when they want to add repos to that app which seems to be the point of that endpoint… Here is the request using a user token that is generated as outlined here: https://developer.github.com/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps/

I, [2018-08-21T03:52:18.630333 #15]  INFO -- request: PUT https://api.github.com/user/installations/<install id>/repositories/<repo id>
D, [2018-08-21T03:52:18.630448 #15] DEBUG -- request: Accept: "application/vnd.github.machine-man-preview+json"
User-Agent: "Octokit Ruby Gem 4.9.0"
Content-Type: "application/json"
Authorization: "token <valid user token>"
I, [2018-08-21T03:52:18.799651 #15]  INFO -- response: Status 403
D, [2018-08-21T03:52:18.799804 #15] DEBUG -- response: server: "GitHub.com"
date: "Tue, 21 Aug 2018 03:52:20 GMT"
content-type: "application/json; charset=utf-8"
transfer-encoding: "chunked"
connection: "close"
status: "403 Forbidden"
x-ratelimit-limit: "5000"
x-ratelimit-remaining: "4950"
x-ratelimit-reset: "1534823978"
x-oauth-scopes: ""
x-accepted-oauth-scopes: "repo"
x-oauth-client-id: "<client id>"
x-github-media-type: "github.machine-man-preview; format=json"
access-control-expose-headers: "ETag, Link, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval"
access-control-allow-origin: "*"
strict-transport-security: "max-age=31536000; includeSubdomains; preload"
x-frame-options: "deny"
x-content-type-options: "nosniff"
x-xss-protection: "1; mode=block"
referrer-policy: "origin-when-cross-origin, strict-origin-when-cross-origin"
content-security-policy: "default-src 'none'"
x-runtime-rack: "0.055696"
x-github-request-id: "5147:21C5:14FC3E6:31A2858:5B7B8C74"

Octokit::Forbidden (PUT https://api.github.com/user/installations/293015/repositories/44005273: 403 - Resource not accessible by integration // See: https://developer.github.com/v3/apps/installations/#add-repository-to-installation):

I see that the endpoint isn’t listed for user to server requests either which makes me question what the point of that endpoint is if a user who has admin access to a repo cannot add it to the installation they are an admin of. So then who is the endpoint for since I can’t really see a use case for it otherwise?


#4

You can fetch all repos accessible from (and bound to) installation via:

requests.get(f'https://api.github.com/user/installations?access_token={access_token}', headers={'Accept': 'application/vnd.github.machine-man-preview+json'}).json()

Your integration does not have any access to APIs for adding/removing repos. User should do it by themselves.
If they change it, you’ll likely get a webhook about it as well.
Also, AFAIR there’s some redirect (setup?) URL, so that when you redirect user to the right page in GitHub they’ll get back to you when done.