Retrieve permissions as a GitHub App Installation

I want to find out if I have write access to a repository. Using a personal access token, that is simple enough, by reading out the scopes from the X-OAuth-Scopes response header or by reading the permissions key from the response of GET /repos/:owner/:repo.

But there is no such thing for GitHub installation tokens, is it?

My current problem is that I want to run semantic-release in GitHub Actions, and it verifies the authentication by sending the GET /repos/:owner/:repo request. But the GITHUB_TOKEN provided to GitHub Actions is in fact an installation token so this verification step fails.

1 Like

Hi @gr2m,

Thanks for being here! You could try to fetch a list of repositories that the installation has access to:

https://developer.github.com/v3/apps/installations/#list-repositories

The response is a JSON array, where each element is a repository including the permissions hash that you’re looking for. I hope this helps!

Hey Andrea,

sorry for the late response, I hope you don’t mind?

I created a script which fetches a repository using my test app https://github.com/apps/gr2m. It has read & write access set on the content permission

const { createAppAuth } = require("./pkg");
const { request } = require("@octokit/request");

main();

async function main() {
  const auth = createAppAuth({
    id: 10115,
    privateKey: `-----BEGIN RSA PRIVATE KEY-----
MIIEpA...8w==
-----END RSA PRIVATE KEY-----
`,
    installationId: 743367,
  });

  const authentication = await auth({ type: "installation" });
  console.log(`token permissions: %j`, authentication.permissions);

  const myRequest = request.defaults({
    request: {
      hook: auth.hook,
    },
  });

  const {
    data: {
      repositories: [repo],
    },
  } = await myRequest("GET /installation/repositories", {
    mediaType: {
      previews: ["machine-man"],
    },
    per_page: 1,
  }).catch(console.log);

  console.log(`repo permissions: %j`, repo.permissions);
}

It creates an installation token and logs out the “permissions” key of the output, then it fetches my https://github.com/gr2m/sandbox repository and logs out the “permissions” key. The log output is as follows:

token permissions: {"checks":"read","contents":"write","issues":"write","metadata":"read","pull_requests":"write","repository_projects":"read"}
repo permissions: {"admin":false,"push":false,"pull":false}

You see that all permissions on the repository are set to false. I think this key only works for OAuth access tokens. I feel this might be a bug, they key should look the same as it does for the “GET /user/installations” endpoint:

"permissions": {
        "metadata": "read",
        "contents": "read",
        "issues": "write",
        "single_file": "write"
      },

By the way, the “permissions” key is currently not documented at https://developer.github.com/v3/apps/installations/#response

1 Like