I asked this question on the github community support forum, but I'll ask this here too since no reply there...
I am trying to setup a Github App to give some scripts limited Admin rights to some repos in an Organisation. The Organisation is (I believe) under an Enterprise account - we are using this currently instead of having an Enterprise server. I have created the App, transferred it to the Organisation, and one of the Organisation Admins (which I an not) has set me as the manager. So far so good. However, although I can see the App in the Organisation Settings, there is no “Install App” button. Also trying to use it in scripting gives 401 (A JSON web token could not be decoded) errors trying to get hold of a “PAT” for the app - even though the Admin has installed it into the app.
There is obviously something wrong but I’m at a loss. Does anybody know of some extra logs that can be looked at or have a suggestion on how to approach this. We’ve tried deleting the app and retrying - no different. I should say this is the third app I’ve created for transferring into the organisation this way - so far it has just worked.
We raised a support ticket on this so got a formal answer. I thought it might be useful to replicate the key part of the answer here. Essentially the issue is the fact this App has Admin rights. I am an Administrator on some of the repos, and am "App Manager" for this App, but I am not an Owner of the Organisation.
I quote:
"""GitHub App permission requests [control] access to a number of organization REST API endpoints... As these endpoints are outside the individual repository scope, only the organization owner can approve requests to add or change them. If this wasn't the case, App Managers who aren't organization owners would be able to grant an application the ability to view organization members and teams - which is private organization information that can otherwise only be granted by organization owners via inviting new organization members."""
Basically that is it. The original idea was to allow a central place to set some things that only an Administrator could set in a repo - c.f. branch rules. Seems that this can't be done as is with an App - the system just isn't flexible enough.
The alternative, which I know works, is to use the PAT of a user with Admin rights. That just feels less secure.