Working across organizations with Github apps

In my understanding; a Github app can be installed in multiple orgs, but it is only possible to be authenticated with a single org at a time. With a script or application you can work with multiple orgs be re-authing.

However, given my understanding of authentication is correct, is it possible to perform an action that requires authentication with multiple orgs at the same time. From the situation I’m encountering (described below) it would seem that it is not.

I have two organizations; org1 and org2. In each org there is a private repo; repo1. org2:repo1 is forked from org1:repo1.

I want to create a PR for org2:repo1 -> org1:repo1. The app is authenticated with org1.

I always recieve a “422: not all refs are readable” error when trying to create the PR. The app is installed on both orgs and I’ve checked that I can make a PR inside each org.

It seems like the app needs to read from org2, but since the repo is private and the app is not authenticated with that org, it is not able to read the repo and I get this error.

Is this a known limitation or is there some way to work around this?

Does it matter if org2 is an actual organization or a personal user account?

Thanks

Have you granted “Repository contents” permission (both read and write) to the GitHub app? In order to create a PR, it needs to be able to check that the refs that the PR is created from exist. In order to do that, it needs to be able to inspect the repository contents.

Let us know if that helps!

We’ve double-checked this with the team working on GitHub Apps and – you’re right. For the case that you described (making a pull request between a private fork and parent) will not work if you’re doing it as a GitHub App. The reason is as you guessed – a single installation has access to repositories only from a specific user or organization, and a pull request between a private fork and parent requires access from two organizations. I’ve opened an internal issue to see if there is a way to support this after all, but even if that’s possible – I’m guessing it won’t happen very quickly since permissions are never a trivial thing to implement.

Other cases (pull requests between public fork and parent, and pull requests within a single private repository) should still work.

Apologies for the spurious question!

Hi @lee-dohm is this issue resolved or in progress? We still get this error while making PR across private fork.