Why can't repository admins install Integrations in their repository?


#1

Coming from a large organization, Integrations offer a much cleaner permission model than OAUTH did. Yay!

But, it appears that the org owner role is required to install an integration in each and every repository. That’s not great for self-service.

Since a repository admin has full rights over the repository (including deletion), I don’t quite understand why they can’t Install an Integration into just their repository. The OAUTH model allowed that (once the app was approved by the org), so it feels like a step backwards.

What am I missing?


#2

Hey @hwine,

You’re not missing anything, but you’ve brought up a great point. I agree that it could make sense to allow a repository admin to add repositories to an Integration given that it’s already been installed on the Organization. We’ve opened an internal discussion to consider this more fully, and we’ll update here if we have any further thoughts.


#3

One thing to keep in mind is that installing an integration can incur costs. For example, a CI service that uses the Integrations API may charge a per-repository cost. The organization owner will likely be the one in charge of paying the service. So there’d likely need to be an option for organization owners to prevent repo admins from installing approved integrations.


#4

@hwine hey, just to let you know that a repository admin can now install an Integration. Hope this helps your development!


Restrictions for repo admins to install GitHub Apps?
#5

Nice!!

Looks like there are some teething troubles, but I’m sure you guys are all over it. The “dependabot” organisation shouldn’t be appearing twice below (it has the same installation ID on both), and when I click to install on an org where I just have repo admin permissions I get a 404.

Still, so pleased to see this feature added. Nice work guys!

Update: all fixed now, and looks awesome!


#6

@greysteil sorry for that blip. Thanks for the update and feedback, glad it’s helpful!


#7

Thanks!

I just had a chance to finally look into this, and I’m missing something.

  1. What is the workflow to install an approved integration? (I expected to see a button similar to the “Add service” button, but I don’t.)

  2. What is the repo admin’s workflow to remove an installed integration from their repo? A repo admin has a button display for “configure”, but it links to the org settings page, which (of course) 404’s for them.

–Hal


#8

Hi @hwine :wave:

What is the workflow to install an approved integration? (I expected to see a button similar to the “Add service” button, but I don’t.)

Just to make sure I understand – what exactly do you mean by “approved integration”? Could you describe in a step-by-step way what you’re doing, what you want to do next, and what exactly you’re having trouble with (in as many details as possible)? That might help us understand the situation and reproduce it.

What is the repo admin’s workflow to remove an installed integration from their repo? A repo admin has a button display for “configure”, but it links to the org settings page, which (of course) 404’s for them.

If I understood your question correctly, that’s already been reported over in Adding an integration when not an admin. I recommend following that thread for updates on this.


#9

Based on keavy’s reply, a person who is an administrator of a repository (but not an organization owner) should be able to install an integration that has already been approved for specific repositories by an organization owner.

My question is – what is the workflow for the repository admin to do this? Above, I expressed one possible way in my question – I don’t care if that particular way works or not. I just want to know at least one way for a repository admin to perform this operation using the web interface.

Specific use case:

  • organization owner installs a GitHub App for repositories A, B, & C. This “approves” that GitHub App for use on other repositories in the organization.
  • later, a repository admin of repository D wants to install that same GitHub App for repository D
  • how does the repository admin add their repository to the list of enabled repositories for the GitHub App?

No - that thread is about a completely different topic. The 2nd use case I’m interested in is a repository admin needing to uninstall a GitHub App from their repository. For example (real case):

  • repository admin asks for already installed in organization GitHub App to be installed
  • an organization owner does that
  • the repository admin discovers that the GitHub App does not do what they want, and is creating issues they are not interested in. They want to uninstall the GitHub App from their repository.

Right now, both operations appear to require an organization owner. This whole thread is about repository administrators having permission to install & uninstall GitHub Apps on their repositories.

Does that clarify my question?


#10

My question is – what is the workflow for the repository admin to do this?

@hwine You would navigate to https://github.com/apps/APPNAME and see something like this:

The “Evilizuzak-52” item is for my personal testing account. The “testrename2” is for an organization which I am not an owner of, but I am an external collaborator on one repository with admin access that is within that organization. So, that organization is listed as well. When I click on that item (“testrename2”) I see a form where the “All repositories” item is disabled and I can only select the repository I have admin access to from the dropdown.

Does that help? If not, can you clarify your specific situation – which integration, organization, user and repositories is this about?

No - that thread is about a completely different topic.

No, it’s not. But it’s somewhat easy to miss because the thread is a bit long. Please see: Adding an integration when not an admin

This specifically is for the use-case where you want to remove an installation from a repository you have admin access to, but you’re not an owner of the repository.

So, let’s say you follow the same flow as before – you go to https://github.com/apps/APPNAME and you’ll see something like this:

Notice the configure link next to the “testrename2” organization because the application is installed on at least one of the repositories that my account has access to (still the account that is not an owner but has admin access to one repository). Clicking that configure link leads to a 404 currently, as mentioned in that other issue, which is a problem that the team is investigating how to resolve.

Currently, it’s not possible for a repository admin to remove an installation from that repository – they need to ask an organization owner to remove it. Again, this is something that we want to improve.

Hope this helps, but let me know if I misunderstood anything.


#11

Okay, Izuzak - I think I got it:

  • This feature (repo admin can administer GitHub Apps) is currently non functional for adding due to the other issue.

  • Allowing a repo admin to uninstall a GitHub App is not currently part of the feature.

  • The “add GitHub App to repository” workflow for an approved-by-organization GitHub App is different for repo admins (use first install workflow) and org owners (go directly to {org}/settings/installation page)

  • The “delete GitHub App from repository” workflow for a repo admin is TBD. (Although one can start down that path and encounter the same 404 error as with installation. So maybe it will magically work when that is resolved.)

Is that correct?

Thanks for clarifying the GitHub App install process. I’ve never had to install a GitHub App, just approve it for the organization. :slight_smile:


#12

This feature (repo admin can administer GitHub Apps) is currently non functional for adding due to the other issue.

I think it should work when the App hasn’t been installed on the target at all (as I described in my previous reply), but the flow will end in a 404 page (because it ends up on one of the settings pages for the organization, which can only be accessed by org owners).

If the App is already installed on at lest one repository of the target organization, then the flow will fail at the start (because in that case you see the Configure link which takes you to that same org settings page, which 404s).

Both of those problems are something that should be addressed.

Allowing a repo admin to uninstall a GitHub App is not currently part of the feature.

Not sure what you mean by “not part of the feature”, but yeah – it doesn’t work and we still need to figure out how it will work. (See answer to your last question below.)

The “add GitHub App to repository” workflow for an approved-by-organization GitHub App is different for repo admins (use first install workflow) and org owners (go directly to {org}/settings/installation page)

What do you mean by “approved-by-organization”? There’s no approval process for GitHub Apps (as far as I know), there’s only an installation process. Is that what you mean or am I misunderstanding something? Can you share a screenshot which shows this “approval process”?

Do you mean “applications that have been installed on a at least one repository in the target organization”? Someone who has admin access to a repository owned by an organization should be able to install the application on that repository, regardless of whether the application has been previously installed on any of the repositories of the organization.

The “delete GitHub App from repository” workflow for a repo admin is TBD. (Although one can start down that path and encounter the same 404 error as with installation. So maybe it will magically work when that is resolved.)

Correct.

Thanks again for the detailed feedback, @hwine – it’s appreciated. :bow: