GitHub App cannot patch repo visibility in org with repo creation privilege disabled #24681
-
Hi, I wanted to report a painful issue we’re having trying to move to use a GitHub App for common operations. This seems to be an unexpected or invalid set of logic related to the ‘member repository permissions’ set for organizations on GitHub. This is impacting all of our GitHub organizations, including our Enterprise Cloud orgs. Summary
Expected A PATCH to a repository that is private, to change private to false, succeeds when called by a GitHub App that has repository admin permissions in an organization that has selected the privilege “allow members to change repository visibilities for this organization” Actual The PATCH fails with HTTP 422, stating “Visibility can’t be changed by this user”, and pointing to a documentation page about GitHub pricing (although this is a GitHub Enterprise Cloud organization). The repository remains private. Confirmed API workaround Change the ‘repository creation’ member privilege restriction to ‘allow private and public’. This does not work with our organization’s security and compliance policy that repos not be created directly on GitHub. Diagnostic information (have reproduced with many apps and installs beyond this)
Customer impact Cannot use GitHub Apps to replace older workflow. Documented behavior of member privileges is not accurate and causes pain, blocking scenarios. Painful mitigation – do not use GitHub Apps: At this time we are forced to abandon using GitHub Apps for some scenarios and will have to continue using org owner personal access tokens or OAuth tokens for authorized users who are org owners. Confusion around whether GitHub Apps are people/users or not… this is a server-to-server call, but the error message implies it’s a “user” Set of independent member privileges set for the Azure-Samples org Member Privileges: Repository creation: Disabled Admin repository permissions: Repository visibility change: [x] Allow members to change repository visibilities for this organization If enabled, members with admin permissions for the repository will be able to change repository visibility from public to private. If disabled, only organization owners can change repository visibilities. Thanks, Jeff |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
FYI, GitHub (thanks) fixed this after Universe. Thanks API and platform team! |
Beta Was this translation helpful? Give feedback.
-
I’ve just run into this for an org where the “Allow members to change repository visibility for this organization” is disabled. In this case, I’d still like the app to be able to change visibility given it has Administration permission. It seems unusual to treat a GitHub App as a member of the org. |
Beta Was this translation helpful? Give feedback.
FYI, GitHub (thanks) fixed this after Universe. Thanks API and platform team!