Background
GitHub released a REST API endpoint, GET /enterprises/{enterprise}/installation, that lets a GitHub App look up its installation on an enterprise account and retrieve the installation ID.
References:
Current limitation in PAC
PAC currently has an installation discovery path in pkg/provider/github/app/token.go that parses the Repository URL owner/repo and tries these scopes in order:
- repository installation:
FindRepositoryInstallation(owner, repo)
- organization installation:
FindOrganizationInstallation(owner)
- user installation:
FindUserInstallation(owner)
If those fail, PAC returns an error like:
could not find repository, organization or user installation
There is no enterprise-level lookup in that chain today.
The confirmed affected path is incoming-webhook installation discovery from pkg/adapter/incoming.go, when the Repository CR does not specify an explicit git_provider. Normal GitHub App webhook payloads already include installation.id and are handled through pkg/provider/github/parse_payload.go, so this is not expected to affect every GitHub App webhook path.
Requested change
Add enterprise installation lookup support using GET /enterprises/{enterprise}/installation after the existing repository, organization, and user lookup attempts fail, or at another point in the chain if that proves more correct.
Benefits
- Supports GitHub Enterprise Cloud enterprise-level GitHub App installations.
- Avoids failing installation discovery when the app is installed at enterprise scope rather than repo/org/user scope.
- Aligns PAC with GitHub's current installation lookup API surface.
Open implementation question
The GitHub endpoint requires the enterprise slug. PAC currently has the repository owner from spec.url and may have X-GitHub-Enterprise-Host, but that host is not the same as the enterprise slug for GitHub Enterprise Cloud. We need to decide how PAC should receive or infer the enterprise slug, for example via incoming webhook header, Repository field/configuration, or another existing settings path.
** Downstream Story: https://redhat.atlassian.net/browse/SRVKP-12214 **
Background
GitHub released a REST API endpoint,
GET /enterprises/{enterprise}/installation, that lets a GitHub App look up its installation on an enterprise account and retrieve the installation ID.References:
Current limitation in PAC
PAC currently has an installation discovery path in
pkg/provider/github/app/token.gothat parses the Repository URL owner/repo and tries these scopes in order:FindRepositoryInstallation(owner, repo)FindOrganizationInstallation(owner)FindUserInstallation(owner)If those fail, PAC returns an error like:
There is no enterprise-level lookup in that chain today.
The confirmed affected path is incoming-webhook installation discovery from
pkg/adapter/incoming.go, when the Repository CR does not specify an explicitgit_provider. Normal GitHub App webhook payloads already includeinstallation.idand are handled throughpkg/provider/github/parse_payload.go, so this is not expected to affect every GitHub App webhook path.Requested change
Add enterprise installation lookup support using
GET /enterprises/{enterprise}/installationafter the existing repository, organization, and user lookup attempts fail, or at another point in the chain if that proves more correct.Benefits
Open implementation question
The GitHub endpoint requires the enterprise slug. PAC currently has the repository owner from
spec.urland may haveX-GitHub-Enterprise-Host, but that host is not the same as the enterprise slug for GitHub Enterprise Cloud. We need to decide how PAC should receive or infer the enterprise slug, for example via incoming webhook header, Repository field/configuration, or another existing settings path.** Downstream Story: https://redhat.atlassian.net/browse/SRVKP-12214 **