Org app vs. user-created app - should this work?

[chrisdoherty-dynata]

I'm not sure if this is a bug or me not understanding GitHub's permissions model.

I have created a GitHub App under my personal account and installed it under my personal account. That account is a member of a larger organization, and my personal account has at least read access to all the repos in that organization. My personal account does not have the privileges to create an organization-level app nor install apps to the organization.

The app has the Contents: Read-only permission, and when installed it in my personal account I granted it access to All repositories.

I'm working on a Rust CI pipeline, and the cargo.toml file has references to crates that are served from private GitHub repositories via ssh://git@github.com URLs. All of these repositories are in the same organization as my personal account, and my personal account has at least Read permission to them via the organization.

The pipeline is simple, and uses the example from this PR: #273

env:
  CARGO_NET_GIT_FETCH_WITH_CLI: true  # Necessary for `cargo install` to work
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: actions/create-github-app-token@v2
      id: app-token
      with:
        app-id: ${{ secrets.REPO_ACCESS_APP_ID }}
        private-key: ${{ secrets.REPO_ACCESS_APP_PRIVATE_KEY }}
        owner: chrisdoherty-dynata
    - name: Set up git
      run: |
        git config --global url."https://USERNAME:${GITHUB_TOKEN}@github.com/".insteadOf "ssh://git@github.com/"
      env:
        GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
    - name: Build
      run: cargo build --verbose

In the actions/create-github-app-token@v2 config, if I leave off the owner: field, it defaults to the organization, and I get the following error when trying to create a token:

Failed to create token for "rex-respondent-gateway" (attempt 1): Not Found - https://docs.github.com/rest/apps/apps#get-a-repository-installation-for-the-authenticated-app
RequestError [HttpError]: Not Found - https://docs.github.com/rest/apps/apps#get-a-repository-installation-for-the-authenticated-app

If I specify my personal account as the owner: explicitly, the token is created successfully.

However, when the Build step runs, cargo performs an implicit cargo install and I then get the following error:

Run cargo build --verbose
  cargo build --verbose
  shell: /usr/bin/bash -e {0}
  env:
    CARGO_TERM_COLOR: always
    CARGO_NET_GIT_FETCH_WITH_CLI: true
    Updating crates.io index
    Updating git repository `ssh://git@github.com/ORGANIZATION/sdk-rust.git`
     Running `git fetch --no-tags --verbose --force --update-head-ok 'ssh://git@github.com/ORGANIZATION/sdk-rust.git' '+9b9b3bd7868cdcd577a46d99fd441fa8ac397974:refs/commit/9b9b3bd7868cdcd577a46d99fd441fa8ac397974'`
remote: Repository not found.
fatal: repository 'https://github.com/ORGANIZATION/sdk-rust.git/' not found
warning: spurious network error (3 tries remaining): process didn't exit successfully: `git fetch --no-tags --verbose --force --update-head-ok 'ssh://git@github.com/ORGANIZATION/sdk-rust.git' '+9b9b3bd7868cdcd577a46d99fd441fa8ac397974:refs/commit/9b9b3bd7868cdcd577a46d99fd441fa8ac397974'` (exit status: 128)

When logged in with my personal account, I can access https://github.com/ORGANIZATION/sdk-rust.git/ without any problems.

So my question is: is this supposed to work, and this is a bug or misconfiguration somewhere? Or is this by design, and what I'm trying to do will only work if the app is created/installed at the organization level?

[chrisdoherty-dynata]

I was able to get this working with an Organization-scoped App, so my immediate problem is solved. I do think it would be helpful to have the scope requirements for the App clearly stated in the documentation, as this seems like it should work (a personal App granting access to any repos the personal account can access).