Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG]: github_app_installation_repositories allows modifying app for another org #2431

Open
1 task done
a88zach opened this issue Oct 18, 2024 · 1 comment
Open
1 task done
Labels
Status: Up for grabs Issues that are ready to be worked on by anyone Type: Bug Something isn't working as documented

Comments

@a88zach
Copy link

a88zach commented Oct 18, 2024

Expected Behavior

When setting the owner argument for the provider, a github_app_installation_repositories resource should only be allowed to modify app installations for the target Github org

Actual Behavior

When you are using a token that has access to multiple organizations and those organizations have repositories with the same name. You can modify the app installation in one org when targeting the other (repo steps below)

Terraform Version

Terraform v1.9.8
on darwin_arm64

Affected Resource(s)

  • github_app_installation_repositories

Terraform Configuration Files

No response

Steps to Reproduce

  • Create a Github PAT for a user that has access to multiple organizations
  • Create a repository in both organizations with the same name
  • Add a Github app to both organizations with the created repository as the only selected app
  • In terraform, set the owner argument to one of the organizations
  • Add a github_app_installation_repositories resource that references the app id of the other organization and remove all selected repos
  • Apply the change

The outcome will be that the selected repo was removed from the other organization instead of the organization specified in the owner argument of the provider

Debug Output

No response

Panic Output

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@a88zach a88zach added Status: Triage This is being looked at and prioritized Type: Bug Something isn't working as documented labels Oct 18, 2024
@a88zach
Copy link
Author

a88zach commented Oct 18, 2024

Where this is really a problem is if you have an app installation in one org with say 10 selected repos. You then create a new github_app_installation_repositories resource for the other org (and forget to update the app installation id in the resource) and set the selected repos to just one (one with same name as a repo in the other org). When you apply, the app installation with 10 selected repos, will now only have the one selected repo

@kfcampbell kfcampbell moved this from 🆕 Triage to 🔥 Backlog in 🧰 Octokit Active Oct 25, 2024
@kfcampbell kfcampbell added Status: Up for grabs Issues that are ready to be worked on by anyone and removed Status: Triage This is being looked at and prioritized labels Oct 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Status: Up for grabs Issues that are ready to be worked on by anyone Type: Bug Something isn't working as documented
Projects
None yet
Development

No branches or pull requests

2 participants