Github App create fork

I’m working on an application with a github integration that involves forking public repositories into github user accounts then doing some raw git manipulation on that fork (clone, create branch, apply patch, push). We’re currently using an oauth app with the public_repo scope.

I’d like to stop using the oauth app and switch to using a github app (we use a github app for some separate integrations, and it would be nice to just have one integration auth style). The “Supported endpoints” section here Identifying and authorizing users for GitHub Apps - GitHub Docs led me to believe that a user to server token (obtained via the web application flow vs app bearer jwt or installation token) would be able to create forks, but in my testing I receive 403 (Resource not accessible by integration) when I try to do this. Perhaps I’m misunderstanding the documentation and it’s saying those endpoints are supported in github apps in some way, not specifically with a user to server token. I tested using an installation token, and it appears that the github app needs to be installed with access to all repositories in order for the create fork request to succeed, which seems like a big problem to me. The permission necessary to create forks is either administration:write or contents:read (I’m not sure whether both are required or either is sufficient). Nobody is going to want to grant either of those permissions on all their private repositories just so that you can fork public repositories.

Can someone confirm that create fork using a github app requires an installation token and that the installation has to have access to all the user’s repositories?