GH App installation access token with different permissions in different repositories

[juzerzarif]

Select Topic Area

Question

Body

Hi, I have a GitHub app with write permissions on all org repositories and I would like to use that app to mint installation tokens with a subset of those permissions on specific repositories.

Looking at the API for creating installation tokens (https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app) there is a body param to specify repositories but it seems like every repository will share the same permissions object? Is there a way to mint a single installation token that has contents:read access to repo-a and contents:write access to repo-b?

[tusharxoxoxo]

Yes, it is possible to create a single installation token with different permissions for different repositories. You can use the permissions parameter to specify the permissions for each repository in the POST /repos/{repository}/installation_access_tokens API call.

Here's an example of how you can create a single installation token with different permissions for different repositories:

`POST https://api.github.com/repos/{repository}/installation_access_tokens
Accept: application/vnd.github.machine-man-preview+json
Authorization: Bearer {installation_access_token}

{
"permissions": {
"contents": {
"read": true
}
},
"repository_ids": [
123456,
789012
]
}
`

In this example, the permissions parameter specifies that the token has contents:read permission for both repositories. You can modify this parameter to grant different permissions for each repository. The repository_ids parameter specifies the IDs of the repositories for which you want to create the installation token.

You can use the resulting token to interact with the specified repositories, with the corresponding permissions.

Note that the POST /repos/{repository}/installation_access_tokens API call requires the repo scope for the GitHub app, in addition to the installation scope.

[juzerzarif]

Do you have a link to the docs for that API endpoint? And also that looks like it would still give all of those permissions to all of those repos. Say I want a token with contents:read permission for repo 123456 and contents:write permission for repo 789012. This wouldn't accomplish that

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬