Working across organizations with Github apps #24549
-
In my understanding; a Github app can be installed in multiple orgs, but it is only possible to be authenticated with a single org at a time. With a script or application you can work with multiple orgs be re-authing. However, given my understanding of authentication is correct, is it possible to perform an action that requires authentication with multiple orgs at the same time. From the situation I’m encountering (described below) it would seem that it is not. I have two organizations; I want to create a PR for I always recieve a “422: not all refs are readable” error when trying to create the PR. The app is installed on both orgs and I’ve checked that I can make a PR inside each org. It seems like the app needs to read from Is this a known limitation or is there some way to work around this? Does it matter if Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 9 comments
-
Have you granted “Repository contents” permission (both read and write) to the GitHub app? In order to create a PR, it needs to be able to check that the refs that the PR is created from exist. In order to do that, it needs to be able to inspect the repository contents. Let us know if that helps! |
Beta Was this translation helpful? Give feedback.
-
We’ve double-checked this with the team working on GitHub Apps and – you’re right. For the case that you described (making a pull request between a private fork and parent) will not work if you’re doing it as a GitHub App. The reason is as you guessed – a single installation has access to repositories only from a specific user or organization, and a pull request between a private fork and parent requires access from two organizations. I’ve opened an internal issue to see if there is a way to support this after all, but even if that’s possible – I’m guessing it won’t happen very quickly since permissions are never a trivial thing to implement. Other cases (pull requests between public fork and parent, and pull requests within a single private repository) should still work. Apologies for the spurious question! |
Beta Was this translation helpful? Give feedback.
-
Hi @lee-dohm is this issue resolved or in progress? We still get this error while making PR across private fork. |
Beta Was this translation helpful? Give feedback.
-
It seems that this is still an issue, we have the use case where the GitHub Application that we created requires to be installed on multiple organizations to manage the GHA Runners of them and it doesn't work. Hopefully this will be considered soon. |
Beta Was this translation helpful? Give feedback.
-
This is still an issue 4 years later. |
Beta Was this translation helpful? Give feedback.
-
Hi @lee-dohm - is this being actively worked on? And, if so, when can a fix be expected by? |
Beta Was this translation helpful? Give feedback.
-
We need the ability to install a Github App on an entire enterprise instead of at the organization level. |
Beta Was this translation helpful? Give feedback.
-
Hi Team, we are also requiring this ability to install a Github App on multiple orgs without making it public app. Do we have any PR or issue tracking this? If yes, could you please share? |
Beta Was this translation helpful? Give feedback.
-
Same here, are enterprise-scoped apps / tokens on the roadmap ? |
Beta Was this translation helpful? Give feedback.
We’ve double-checked this with the team working on GitHub Apps and – you’re right. For the case that you described (making a pull request between a private fork and parent) will not work if you’re doing it as a GitHub App. The reason is as you guessed – a single installation has access to repositories only from a specific user or organization, and a pull request between a private fork and parent requires access from two organizations. I’ve opened an internal issue to see if there is a way to support this after all, but even if that’s possible – I’m guessing it won’t happen very quickly since permissions are never a trivial thing to implement.
Other cases (pull requests between public fork…