Invisible GitHub Apps with write access - How to obtain information? #24815
-
As an org owner using the get installations (beta) v3 endpoint, I receive information about installations that are not visible in the web UI. Furthermore, the “html_url” returns a 404. (With a visible GitHub App, this url links to the installation information page for that org.) These invisilbe apps have the permissions to write repository content! I’ve noticed that “29110” is the value for the “app_id” of almost all of these invisible apps. I see this invisible app on almost all of the organizations I have owner access to. My guess is that app 29110 is somehow involved in the operation of GitHub Actions, but I’d love to:
Invisible apps with write permissions to source code make me nervous. Has anyone else run into this? |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments
-
Hi @hwine, I can confirm that 29110 is a GitHub app owned by github itself. I don’t know why the API doesn’t return the right information here, that would be worth asking support. |
Beta Was this translation helpful? Give feedback.
-
Thanks! I’ll sleep better this weekend. 😃 How/where did you determine it was a GitHub owned app? (I’d like to learn how to fish.) Enjoy your weekend! –Hal P.S. I do have a support ticket in, but don’t really expect a reply until next week. Post Universe recovery for much of the staff I assume. |
Beta Was this translation helpful? Give feedback.
-
That fish unfortunately needs to be caught with a very special net, for which one needs to be employed by GitHub. I rarely use that net when helping people on the forum, but this sounded potentially dangerous so I looked in some internal systems to see what this was. |
Beta Was this translation helpful? Give feedback.
-
Update: The API endpoint has been fixed to no longer return these “internal apps”. \o/ |
Beta Was this translation helpful? Give feedback.
Hi @hwine,
I can confirm that 29110 is a GitHub app owned by github itself. I don’t know why the API doesn’t return the right information here, that would be worth asking support.