GitHub App can't fork repositories

Hi :wave:,

According to the REST API docs (link), GitHub Apps should be able to fork a repository.

Unfortunately, that isn’t the case. I experience two different errors, depending on whether I grant the GitHub App access to all repositories or to a selected repository only.

With access to all repositories

RequestError [HttpError]: You cannot fork this repository to the selected destination due to a policy.

With access to a selected repository

RequestError [HttpError]: Resource not accessible by integration

Below is the code I use:

import fs from "fs";
import { App } from "@octokit/app";

const privateKey = fs.readFileSync("./private-key.pem");

const app = new App({
  appId: 12345,
  privateKey,
});

const { data } = await app.octokit.request("/app");
console.log("authenticated as %s", data.name);

for await (const { octokit, repository } of app.eachRepository.iterator()) {
  await octokit.request("POST /repos/{owner}/{repo}/forks", {
    owner: repository.owner.login,
    repo: repository.name,
    organization: "org-id-to-which-the-github-app-belongs"
  })
}

Does anybody know why this fails?

Thanks,

Mike

I’d file a ticket to https://support.github.com/

1 Like

Thanks @jsoref for the tip. I received a response that explains why it doesn’t work in my situation.

For anyone else ending up here:

“It is currently not possible to fork private repositories due to how GitHub App permission works. GitHub Apps permission is based on installations – each installation’s permissions are separate from the others. And since an installation is scoped to a specific account (the account on which the App was installed), that means that GitHub Apps permissions are limited to a specific account.”

1 Like

Makes sense.

For people wondering “what to do?”, you can set up an account, make it a member of the destination org (and if necessary the origin org), and then create a personal access token for it:
https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token

And then use that secret instead of the app secret to fork.

1 Like

That’s the approach I ended up with – works like a charm. I went for 3 different personal access tokens: dev, preview, prod.

1 Like