App manifest flow: state parameter ignored

According to https://developer.github.com/apps/building-github-apps/creating-github-apps-from-a-manifest/#1-you-redirect-people-to-github-to-create-a-new-github-app it is possible to include a state parameter as well as a manifest parameter. (For my purposes this is necessary to provide some information to the callback; it is not merely a question of security.) So I tried something like

<form action="https://github.com/organizations/myorg/settings/apps/new" method="post">
    <input type="hidden" name="manifest" value="{&quot;name&quot;:&quot;suggested-name&quot;,…}"/>
    <input type="hidden" name="state" value="{s3cr3t}"/>
<input type="submit" value="Submit"/>
</form>

The flow worked insofar as the prompt to create the app was displayed and my redirect_url was notified with a code query parameter. But no state query parameter was sent as https://developer.github.com/apps/building-github-apps/creating-github-apps-from-a-manifest/#2-github-redirects-people-back-to-your-site promises. Am I missing something?

As a workaround, I tried encoding state information in a query parameter in my redirect_url. This was rejected by GitHub with an error to the effect that this was an invalid URL. (It was a valid URL generally, but apparently not valid for this purpose.) What finally worked was to encode the state in a path segment in my redirect_url.

I have a similar problem. My manifest parameter gets ignored for some reason. I use exactly the same HTML form as you do, but when I get redirected to Github I don’t see any values pre-filled. I opened another issue about this here: https://github.community/t5/GitHub-API-Development-and/Create-GitHub-App-with-Manifest-stopped-working/m-p/58772 then I found yours.

This is my manifest:

{
  "name": "harbour.rocks",
  "url": "https://60bfc567.ngrok.io",
  "hook_attributes": {
    "url": "https://60bfc567.ngrok.io/scm/github/hooks",
    "active": true
  },
  "redirect_url": "https://60bfc567.ngrok.io/scm/github/fake",
  "public": false,
  "default_permissions": {
    "contents": "write",
    "metadata": "read-only"
  },
  "default_events": [
    "push"
  ]
}

Do you know what I am doing wrong?

@whymatter that is an unrelated issue.