Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Pilot Lvl 1
Message 1 of 2

GitHub App cannot patch repo visibility in org with repo creation privilege disabled

Solved! Go to Solution.

Hi,

I wanted to report a painful issue we’re having trying to move to use a GitHub App for common operations. This seems to be an unexpected or invalid set of logic related to the ‘member repository permissions’ set for organizations on GitHub. This is impacting all of our GitHub organizations, including our Enterprise Cloud orgs.

 

Summary

  • Given a GitHub App with tons of permission (including read/write repository administration, organization administration, etc.)…
  • The server-to-server GitHub App call to PATCH an existing repository with the body {private:false}, taking a repo public, returns HTTP 422: “Visibility can’t be changed by this user”
  • This only happens to the GitHub App when the organization’s member privileges are set to not allow repository creation, even if the separate and independent privilege “allow members to change repository visibilities for this organization” is enabled

 

Expected

A PATCH to a repository that is private, to change private to false, succeeds when called by a GitHub App that has repository admin permissions in an organization that has selected the privilege “allow members to change repository visibilities for this organization”

 

Actual

The PATCH fails with HTTP 422, stating “Visibility can’t be changed by this user”, and pointing to a documentation page about GitHub pricing (although this is a GitHub Enterprise Cloud organization). The repository remains private.

 

Confirmed API workaround

Change the ‘repository creation’ member privilege restriction to ‘allow private and public’. This does not work with our organization’s security and compliance policy that repos not be created directly on GitHub.

 

Diagnostic information

(have reproduced with many apps and installs beyond this)

 

Customer impact

Cannot use GitHub Apps to replace older workflow. Documented behavior of member privileges is not accurate and causes pain, blocking scenarios.

 

Painful mitigation – do not use GitHub Apps:

At this time we are forced to abandon using GitHub Apps for some scenarios and will have to continue using org owner personal access tokens or OAuth tokens for authorized users who are org owners.

 

Confusion around whether GitHub Apps are people/users or not… this is a server-to-server call, but the error message implies it’s a “user”

 

Set of independent member privileges set for the Azure-Samples org

 

Member Privileges:

                Repository creation:      

                                Disabled

 

Admin repository permissions:

                Repository visibility change:

                                [ x ] Allow members to change repository visibilities for this organization

 

                                                If enabled, members with admin permissions for the repository will be able

                                                to change repository visibility from public to private. If disabled, only

                                                organization owners can change repository visibilities.

 

Thanks,

Jeff

1 Reply
Solution
Pilot Lvl 1
Message 2 of 2

Re: GitHub App cannot patch repo visibility in org with repo creation privilege disabled

FYI, GitHub (thanks) fixed this after Universe.  Thanks API and platform team!