[Improve] Create public GitHub Apps so the install step picks the org#416
Merged
Conversation
Manifest-created GitHub Apps are now public, so they can be installed on any account via GitHub's own install-time account picker instead of requiring the app to be created inside the target organization. The organization name field is no longer needed for the common case and moves behind the standard "Show advanced config" toggle, for deployments that want the organization to own the app. Unsolicited installations of a public app remain inert: the installation.created webhook only completes installations with a matching pending record, bulk sync only iterates installations already in the database, and callback sync requires a deployment admin.
Contributor
|
No new code issues found. See task
Reviewed 47890b1 |
With a public app, any account can install it and produce validly signed webhook deliveries. Verify the signature, then require the payload's installation to already exist in github_installations before the event is persisted or handled. installation.created still passes through so pending installations can complete; that handler is guarded by its own pending-record match.
The router test's Webhooks mock had no verify method, so every routed delivery hit the catch path in CI. Mock verify and the new installation guard, and add coverage for the invalid-signature and unknown-installation early returns.
The unconditional installation.created bypass still let outsider installs of the public app reach recordWebhook before the handler's pending check rejected them. Match the installing account against github_pending_installations in the guard itself - the same check the handler enforces - so unrequested installs are dropped before anything is persisted.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The GitHub setup flow currently asks admins to type their organization name before creating the GitHub App. That was forced by creating the app as private: a private GitHub App can only be installed on the account that owns it, and GitHub's manifest-creation endpoint is owner-specific with no account picker.
This PR flips manifest-created apps to
public: true, so the app can be installed on any account the admin belongs to. GitHub's own install screen (github.com/apps/{slug}/installations/new) then shows an account picker, and typing the org name is no longer needed for the common case.Changes
buildGitHubAppManifestnow setspublic: trueisFromKnownInstallation);installation.createdis accepted only when the installing account matches a pending-installation record, mirroring the check its handler enforcesNotes on public apps
Anyone who finds a deployment's app slug could install the public app on their own account. Those installations stay inert:
recordWebhook, so outsider installs cannot fill the webhooks table or trigger handler workinstallation.createdis only accepted when the installing account matches a pending-installation record, both in the guard (before anything is persisted) and again in its handlersyncGitHubInstallationsonly iterates installations already in the databaseExisting deployments are unaffected; their apps stay private unless flipped to public in GitHub's app settings, which also enables the install-time picker for them.
Test plan
public: trueisFromKnownInstallationcovering the pending-install bypass, known/unknown installations, installation-less events, and malformed payloadsvitest,check-types, andlintpass