githubgithub-apigithub-api-v3

Which permissions are needed for a GitHub app to access list-issues-for-a-repository API?


I'd like to create a GitHub app to display the current issues in a repository, organized by labels. The repositories under the organization are private, but my account has admin access. I've installed the app under my name. The API list-issues-for-a-repository is returning:

{
  "message": "Not Found",
  "documentation_url": "https://developer.github.com/v3/issues/#list-issues-for-a-repository"
}

I've set the app permissions as follows:

Repository permissions

Organization permissions

User permissions

Subscribe to events

Getting all the repos using /orgs/«org»/repos returns an empty array, meaning the private repositories aren't showing up, so there's likely a permission issue going on here, too.

Questions:

  1. Do I need to install the app under the organization? The organization is not showing any installed apps, even though we're running Codacy and GitHub Desktop.

  2. The app is not under the organization's Third-party access policy. Do I need to add it? I don't see any way to request permissions, and I don't know if GitHub apps work this way.

  3. Do I need to include more permissions for the app? I just need read-only for the issues and don't want to expose more than I need.


Solution

  • First of all, confirmed it has to be a "GitHub App" and not an "OAuth App", because the API to list the issues in a repository is, according to the documentation, available only to GitHub Apps. I took an initial wrong turn, documented in the edit history of a previous related issue, of selecting an OAuth App, and getting nowhere.

    As far as my specific questions:

    1. Do I need to install the app under the organization? The organization is not showing any installed apps, even though we're running Codacy and GitHub Desktop.

    Yes, it needs to be installed or added under the organization. It was easier for me to delete the existing app under my account, and re-add (vs re-install) under the organization.

    1. The app is not under the organization's third-party access policy. Do I need to add it? I don't see any way to request permissions, and I don't know if GitHub apps work this way.

    Once the app is added under the organization, it is automatically given access. You can fine tune which repositories it can access or let it access them all. Installing, as opposed to adding, might need a few more steps, and the app needs to be published first. My app is intended for the organization only, so I opted for the simpler solution. Also, even if you give the app access to all repositories, the access rights of whoever logs in take precedence. For example, someone outside of the organization won't see any private repositories.

    1. Do I need to include more permissions for the app? I just need read-only for the issues and don't want to expose more than I need.

    No, just read-only for issues, meta-data is included automatically.

    With these revisions I was able to access the repositories, and also get results for list-issues-for-a-repository.