Hi Andrea, Thanks for the reply. I've forwarded the below information to https://github.com/contact, but copying here as well: Prerequisites: - Using a GitHub application (as opposed to an OAuth application), generate a user access token using the steps described here: https://developer.github.com/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps/#identifying-users-on-your-site, and set this as the GITHUB_ACCESS_TOKEN environment variable. Steps to reproduce: 1. Accessing the "Get a single repository" endpoint for a public repository works as expected, even if the GitHub app is not installed to that repository: $ curl https://api.github.com/repos/octocat/Spoon-Knife -H "Content-Type: application/json" -H "Authorization: bearer $GITHUB_ACCESS_TOKEN" -I HTTP/1.1 200 OK 2. However, accessing "List pull requests" endpoint for this repository fails: $ curl https://api.github.com/repos/octocat/Spoon-Knife/pulls -H "Content-Type: application/json" -H "Authorization: bearer $GITHUB_ACCESS_TOKEN" -I
HTTP/1.1 403 Forbidden 3. An identical request without authentication completes successfully: $ curl https://api.github.com/repos/octocat/Spoon-Knife/pulls -H "Content-Type: application/json" -I
HTTP/1.1 200 OK Using an OAuth App (instead of a GitHub App) works as expected.
... View more
While moving an OAuth app to a GitHub app, I noticed that some data that is accessible publicly (i.e. without an access token) is not available to users that authenticated with a GitHub app if that app is not installed to the repository in question. For example, hitting GET https://api.github.com/repos/octocat/Spoon-Knife/pulls without an access token works fine, but using an access token returned from https://github.com/login/oauth/access_token gives the following response: Status: 403 Forbidden
"message": "Resource not accessible by integration"
} Is this intentional?
... View more