Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- GitHub Community Forum
- :
- About jeffwilcox
jeffwilcox
Pilot Lvl 1
13
Posts
2
Kudos
2
Solutions
2 weeks ago
This was fixed. GitHub Apps can now use the user-to-server APIs to update org membership and accept org invites. Thank you to the API team.
... View more
- tags:
- apps
2 weeks ago
FYI, GitHub (thanks) fixed this after Universe. Thanks API and platform team!
... View more
10-21-2019
07:30 AM
1 Kudo
There is not an event today, but I'm with you on this one, it's necessary! Would also appreciate a team event when team members and maintainers change roles.
... View more
10-01-2019
12:30 PM
Hi, I wanted to report a painful issue we’re having trying to move to use a GitHub App for common operations. This seems to be an unexpected or invalid set of logic related to the ‘member repository permissions’ set for organizations on GitHub. This is impacting all of our GitHub organizations, including our Enterprise Cloud orgs. Summary Given a GitHub App with tons of permission (including read/write repository administration, organization administration, etc.)… The server-to-server GitHub App call to PATCH an existing repository with the body {private:false}, taking a repo public, returns HTTP 422: “Visibility can’t be changed by this user” This only happens to the GitHub App when the organization’s member privileges are set to not allow repository creation, even if the separate and independent privilege “allow members to change repository visibilities for this organization” is enabled Expected A PATCH to a repository that is private, to change private to false, succeeds when called by a GitHub App that has repository admin permissions in an organization that has selected the privilege “allow members to change repository visibilities for this organization” Actual The PATCH fails with HTTP 422, stating “Visibility can’t be changed by this user”, and pointing to a documentation page about GitHub pricing (although this is a GitHub Enterprise Cloud organization). The repository remains private. Confirmed API workaround Change the ‘repository creation’ member privilege restriction to ‘allow private and public’. This does not work with our organization’s security and compliance policy that repos not be created directly on GitHub. Diagnostic information (have reproduced with many apps and installs beyond this) GitHub App ID: 41899 GitHub API request ID: 2825:67D5:16B4F9:1B2455:5D93A51C REST API endpoint: PATCH https://api.github.com/repos/Azure-Samples/iot-edge-hmi-module Body: {“private”:”false”} Response: HTTP 422 Response body: "{"message":"Visibility can't be changed by this user.","documentation_url":"https://github.com/pricing"}" Customer impact Cannot use GitHub Apps to replace older workflow. Documented behavior of member privileges is not accurate and causes pain, blocking scenarios. Painful mitigation – do not use GitHub Apps: At this time we are forced to abandon using GitHub Apps for some scenarios and will have to continue using org owner personal access tokens or OAuth tokens for authorized users who are org owners. Confusion around whether GitHub Apps are people/users or not… this is a server-to-server call, but the error message implies it’s a “user” Set of independent member privileges set for the Azure-Samples org Member Privileges: Repository creation: Disabled Admin repository permissions: Repository visibility change: [ x ] Allow members to change repository visibilities for this organization If enabled, members with admin permissions for the repository will be able to change repository visibility from public to private. If disabled, only organization owners can change repository visibilities. Thanks, Jeff
... View more
09-17-2019
01:55 PM
Only the user themselves can accept the invitation, the org owner cannot accept it on their behalf. If you're authenticated as a legacy OAuth app as the user with the 'org:write' scope, you can call this API with the user's token to have them accept their own invite: https://developer.github.com/v3/orgs/members/#edit-your-organization-membership The app itself also needs to be authorized with Third-party access on the organization. That said, I have a newer GitHub App where I am trying to do the thing, and it isn't working, so there may be other lingering issues.
... View more
09-17-2019
01:50 PM
We have a few GitHub Apps that are 'public' and widely used across our orgs. When a new installation is created, and also as part of a daily job where we validate all installs, we remove any installations that do not meet our requirements (i.e. a repo install, where our app only performs org-level things of note) using the delete installation API. We also 'activate' installations in our own metadata store by one of our admins - so until it is 'active', we discard any and all webhook events and do not allow it to perform any actions. Eventually we delete the install if one of our employees doesn't let us know it was a legit install.
... View more
09-17-2019
01:44 PM
+1, LFS is burning my group - we eventually found 4 repos that are just massive users of LFS. Would also appreciate being able to turn off LFS on the org or repo level.
... View more
09-17-2019
01:42 PM
1 Kudo
epruesse, I'm with you... I would love it if Enterprise Cloud had a value-add, "retry webhook deliveries 3 times". For some of the larger scale projects I work on, we also experience missed events and have had to occassionally write jobs to go hit the events API or check the data to be eventually consistent, which is no fun. As a compromise we have had some good luck using Azure Logic Apps, similar to AWS lambda etc., where we are able to have our hook events delivered to Logic Apps, which are much more available than our systems were, and then we can configure retry policies or even dead letter queueing those events on our end for later processing. It's not free but was less expensive than other alternatives. We also miss events due to the limitations of webhooks, such as very large payload events (large commits) that are never sent, as documented.
... View more
09-17-2019
01:38 PM
I'll just add, at Microsoft, we had this challenge for a long time, too... here's what we essentially do now: we have org-wide web hooks for all of our orgs that are processed centrally, so we can maintain our own audit log, even for accounts that are not Enterprise Cloud... storing in a DB the username of who created the repo we backfilled the data using the exported JSON audit log (entire history of the orgs) when we launched the feature, so we have past repo creators outside of a few edge cases And for our largest orgs, we actually to not grant our members repo create privs, and instead require them to go through a separate 'new repo wizard' portal where we get even more data - what the project is, why, etc. - and that way we store in our own records even more context about their repo intent. Hope this helps.
... View more
09-17-2019
01:20 PM
I've started experimenting with the audit log GraphQL querying features in our Enterprise Cloud orgs; however, we still have a few orgs, such as some free open source team accounts, that are not on that product. In that scenario, it seems like there are still a few gaps - for example, installing or configuring GitHub Apps and OAuth apps do not seem to send any organization events, and changing team members to maintainers, or vica-versa, do not have events triggered, either. Is it possible that the org-level web hooks might eventually include new events to help with these gaps in the collect-the-events-yourself approach?
... View more
09-17-2019
01:04 PM
Note: I'm able to simulate this same error scenario with a legacy OAuth app: 'Deny access' to the OAuth app within the org's third-party access list of approved legacy OAuth apps The same "You do not have access to this organization membership." error appears when using the user's GitHub token as auth'd via the OAuth flow with the org:write scope If I then go back to the third-party access page for the legacy app, and 'Allow access', the API call completes OK. x-github-request-id C190:36ED:27286B0:2E8EE5A:5D813B59 is the legacy OAuth app equivalent request that failed after denying the legacy app third-party access. I should also note, the GitHub App is from another organization separate from the org I have installed the GitHub App on. I would assume that installing the GitHub App on an org would be equivalent to authorizing an OAuth app to be used on that org. Thanks for any insight.
... View more
09-16-2019
03:57 PM
Hi, I've finally gotten around to trying to port a major GitHub OAuth application I've been using to the more modern GitHub App model, since so many things are improved. However, I'm having issues with a particular user-to-server API that is descibed as being available: the REST v3 API "Edit your organization membership", as documentd here https :// developer.github.com/v3/orgs/members/ #edit-your-organization-membership, indicates that a user can essentially accept their organization invitation, as themselves, with a PATCH to this endpoint marking their state as 'active', if they have a pending invite to the org. We successfully use this API from our OAuth application. For that to work, we must: - have the OAuth app authorized by that org - have the 'org:write' scope via OAuth for the user (OAuth app model) - have invited the user The GitHub Apps docs on 'identifying and authorizing users', as documented here , clearly lists this API - "Edit your organization membership" - as OK for the GitHub App user-to-server flow https://developer.github.com/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps/ The docs also indicate that for GitHub Apps using the OAuth flow, that there is no longer a 'scope' concept, since the user is basically consenting as part of the approval. So, I feel like there may be a bug here. So, when I issue the PATCH from my GitHub App as a user-to-server, using the user's token received from OAuth via this GitHub app that I allowed, I get a 403 with this error message while posting the state:active paramters: "You do not have access to this organization membership." Is this a bug, or are there other issues here? It almost feels like the behavior is slightly different, perhaps related to the scopes issue? Thanks, and thank you for your help, it would be awesome to finally deprecate this old OAuth app model app for the GitHub App world! If it helps pull telemetry... here are the headers associated with a sample of this error. I use the official octokit rest.js library that works for our OAuth app in this same call otherwise... x-github-request-id: A955:02AD:B0A1EB:D240E0:5D800EE2 date: Mon, 16 Sep 2019 22:38:26 GMT x-oauth-client-id: Iv1.a03c550179fc7393 This functionality is important, since it lets us offer a more smooth onboarding experience to our users joining our GitHub organizations: we are able to: - ask the user to authenticate with our GitHub App via the OAuth client ID and secret and standard flow (no scope since that is not a GitHub App thing) - use the GitHub API to invite a user to our organization using our GitHub App installation token - use the user's OAuth token to PATCH to the API discussed here to edit a user's membership by accepting their invitation to the org (this does not work right now with our GitHub App) The identical code in our OAuth app and the same everything else is: - ask the user to auth with our OAuth app via a GitHub OAuth app ID and secret and scope of "org:write" - use one of our org owner's tokens to invite the user to the organization - use the user's OAuth token, with the org:write scope, to call the API to accept their invitation This is way more simple than asking the user to check their e-mail for the invite, etc. Jeff Note - sorry the forum seems to have bugs around showing HTML links right now, I had to remove all links to post this...
... View more
