kentaro-m
commented
1 year ago @yoshi-koyama
Thank you for reporting the Issue.
I would like to share my understanding and thoughts on this Issue. Please let me know your opinion.
Current Status
The Team Assign feature works as code but is not enabled in the hosted app. To enable this feature, the developer (me) needs to add permissions to the app.
After that, the app user needs to give permission for the permission addition. This will be notified to all users of the app.
Alternatives
One way to enable the team assign feature is to self-host the app.
My thoughts
The reason I am not willing to add permissions is that the cost of running an app securely is high.
Security best practices for apps - GitHub Docs https://docs.github.com/en/developers/github-marketplace/creating-apps-for-github-marketplace/security-best-practices-for-apps
The apps I submit to the marketplace are hosted and managed by me. I patch my apps regularly to keep them secure. I also keep permissions to a minimum.
Additional permissions are required to enable the team assignment feature, but it allows the app to access more data.
It would be an unnecessary permission addition for users who do not want the team assignment feature. And with more data to handle, I will need to operate the app more carefully.
It also provides a way to activate the feature in the self-hosting of the app.
For those reasons, I haven't done that so far.
I have not thoroughly investigated the risk of adding permissions, and I think that is something we should look into. I also believe that documentation support for this issue is needed.
koyama-yoshihito
Describe the bug I know this is a duplicate Issue, but I would like to discuss it with you.
The issues:
I am unable to assign GitHub team to reviewers.
To Reproduce I have been experimenting with this repository. https://github.com/reytech-co-jp/auto-assign-test
Steps to reproduce the behavior:
Create Organization and a team.
Create a repository.
Configure auto-assign and enable auto-assign to access the repository https://github.com/apps/auto-assign
Create
./.github/auto_assign.ymlin the repository https://github.com/reytech-co-jp/auto-assign-test/blob/main/.github/auto_assign.ymlInvite the Team to join the Collaborator with Read access
Make a pull request and see no reviewers assigned https://github.com/reytech-co-jp/auto-assign-test/pull/18
Expected behavior I want the team to be assigned as reviewers.
Desktop (please complete the following information):
Workaround
I have also considered GitHub's Code Review feature, but it is not available because I need to assign more than 3 people. https://docs.github.com/en/enterprise-server@3.2/organizations/organizing-members-into-teams/managing-code-review-settings-for-your-team
Research
It seems necessary to change the permission settings as mentioned in this Issue. https://github.com/kentaro-m/auto-assign/issues/138#issuecomment-736012032
I suspect that a team with me can't be assigned to reviewers when I make a Pull Request.
Your help would be greatly appreciated. Thank you in advance.