Can not fetch members from org when using an app token #23578
Description
The compiler always emits permission-contents: read on the generated create-github-app-token step, which constrains the installation token to repository-level scopes only. This is fine, but there isn't a way to get members: read or other org permissions added to the list.
Org-level API calls (e.g. GET /orgs/{org}/teams/{slug}/members) return null silently even when:
- The app has Organization → Members → Read configured
- The token is org-scoped via repositories: ["*"]
Expected: Either a way to declare org-level permissions for the app token in frontmatter (e.g. under tools.github.github-app), or repositories: [""] should add the necessary permission- constraints so the token inherits all app permissions for the tools selected. Or the github tool itself could allow permissions to be set when using github-app.
Attempted workarounds that don't work:
permissions: members: read— rejected, not a valid GitHub Actions scopetools.github.github-app.permissions— rejected, not a valid fieldpermissions: read-all— expands to all repo-level scopes, still no org permissions
Here's a minimal repro you can use:
---
on: manual
permissions:
contents: read
tools:
github:
toolsets: [orgs, users]
github-app:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
repositories: ["*"]
---
List members of the `my-org/my-team` team.
I have confirmed this works if I manually update the lock file.
- name: Generate GitHub App token
id: github-mcp-app-token
uses: actions/create-github-app-token@a7f885bf4560200d03183ed941cb6fb072e4b343 # v3.0.0-beta.4
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
github-api-url: ${{ github.api_url }}
permission-contents: read
permission-members: read