copilot-metrics-viewer icon indicating copy to clipboard operation
copilot-metrics-viewer copied to clipboard
verified publisher icon github-copilot-resources

Only Organization Owner can view Copilot Metrics

Open lvthillo opened this issue 1 year ago • 6 comments

Hi,

We're hosting the Copilot metrics viewer on AWS / ECS and we're using the recommended proxy setup using GitHub app. The app has one Readonly Setting:

GitHub Copilot Business 
Manage Copilot Business seats and settings

Now it seems that only Organization Owners can view the metrics.

A member of the organization is able to login but then he gets:

undefined
If .env file is modified ...

In the dev tools we see:

{
  "message": "Resource not accessible by integration",
  "documentation_url": "https://docs.github.com/rest/copilot/copilot-usage#get-a-summary-of-copilot-usage-for-organization-members",
  "status": "403"
}

Is this expected? We want to give insights to more people than just organizational owners.

lvthillo avatar Dec 04 '24 13:12 lvthillo

I am not an expert for copilot app. and I just found below statement when builidng a copilot extension, since copilot extension is a kind of copilot App, I assume it follows the same permissions rule ?

Requests to your Copilot agent will receive an X-Github-Token header. This header contains an API token that can be used to fetch resources from the GitHub API on behalf of the user interacting with your agent. **The permissions of this token are the overlap of the user's own permissions and the permissions granted to your GitHub App installation.**

https://docs.github.com/en/copilot/building-copilot-extensions/building-a-copilot-agent-for-your-copilot-extension/configuring-your-copilot-agent-to-communicate-with-github

DevOps-zhuang avatar Dec 10 '24 10:12 DevOps-zhuang

Thanks for the useful reply. After taking a closer look at the error and the docs, it became clear that the failing call requires the following permissions:

  • "GitHub Copilot Business" organization permissions (read)
  • "Administration" organization permissions (read)

So, I added the "Administration" organization permissions (read) to the application,

Read access to organization administration and organization copilot seat management

but unfortunately, the same error persists.

lvthillo avatar Dec 12 '24 10:12 lvthillo

Hi, that's my experience with it as well. I believe the way it was designed by GitHub.

"user has access to scope, hence the app can show it to them"

If you wanted to use the app and present metrics to other users, using a PAT token and your own authorization layer is the way to go I think.

From: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app

A user access token only has permissions that both the user and the app have. For example, if the app was granted permission to write the contents of a repository, but the user can only read the contents, then the user access token can only read the contents.

karpikpl avatar Jan 04 '25 04:01 karpikpl

I think there's an alternative solution to use the installation token and the private key to read metrics using the GitHub app.

I'll try to add this feature to the app after #144 is merged

karpikpl avatar Feb 03 '25 04:02 karpikpl

Hi @karpikpl, is there maybe any update on this?

lvthillo avatar Sep 03 '25 12:09 lvthillo

There's #245 to solve it but it needs review and testing

karpikpl avatar Sep 03 '25 13:09 karpikpl