As an org owner using the get installations (beta) v3 endpoint, I receive information about installations that are not visible in the web UI. Furthermore, the “html_url” returns a 404. (With a visible GitHub App, this url links to the installation information page for that org.) These invisilbe apps have the permissions to write repository content!
I’ve noticed that “29110” is the value for the “app_id” of almost all of these invisible apps. I see this invisible app on almost all of the organizations I have owner access to. My guess is that app 29110 is somehow involved in the operation of GitHub Actions, but I’d love to:
- get confirmation from someone at GitHub
- find out how to detect “internal GitHub” apps programatically.
Invisible apps with write permissions to source code make me nervous. Has anyone else run into this?