Errors working with private repos on GitHub orgs, caused by missing 3rd party access for Gitpod

[jldec]

GitHub orgs now restrict 3rd party application access by default. This means that even after the Gitpod app is installed on the org E.g. when creating a /new project, 3rd party access to the org is not automatically granted to the Gitpod app.

Subsequent attempts to start a workspace on a private repo in the org will produce errors like: Repository not found with
Your access token was updated recently. Please try again if the repository exists and Gitpod was approved for <org>
or
Permission to access private repositories has been granted. If you are a member of <org>, please try to request access for Gitpod

Navigating to the Branches page on the new project, will show an empty branches list, and the browser console will contain an error message like
Getting branches failed Error: getProjectOverview failed with message: Although you appear to have the correct authorization credentials, the '<org>' organization has enabled OAuth App access restrictions, meaning that data access to third-parties is limited. For more information on these restrictions, including how to enable this app, visit https://docs.github.com/articles/restricting-access-to-your-organization-s-data/

Navigating to the Project Configuration page will show "No Access" Authorize github.com and grant repo permission to access project configuration, however, clicking on the "Authorize Provider" button will produce a spinning icon, and another console error
Uncaught (in promise) Erro: Request guessProjectConfiguration failed with message: NotFoundError

To approve 3rd party access for Gitpod on an org

A user who is an admin of the org, needs to approve the Gitpod app for 3rd party access to the org.

1. Go to https://github.com/settings/connections/applications/484069277e293e6d2a2a
2. Look for the org in queston in the lower section of the page under Organization access
3. Click on the Grant button .

[jldec]

Many users with private repos in orgs are hitting this issue. Treating as a bug because there is no visible indication in the UI for what is happening (console errors are hidden) and no links to instructions for how to fix.

Suggested improvements in Gitpod:

1. (If possible), when installing the app on the repository during /new, it should also enable 3rd party access.
2. The 2 start workspace error messages should be improved and point to (or include) instructions for how to fix.
3. Project Branches UI should not hide errors in console error logs.
4. Project Configuration authorization should detect this error state instead of spinning.

[jldec]

Correct 3rd party access

only the Gitpod app required below

Missing 3rd party access

[jldec]

This affects forks also. https://github.com/gitpod-io/gitpod/issues/7482

[jldec]

Need visual design on showing errors for Project Branches and Project Config (currenty only in console) cc: @gtsiolis

[jldec]

Another example from a support user (internal)

[axonasif]

@jldec this issue is quite common, saw a good number of users experience this and were left clueless. Here's a recent one: on Discord

[jldec]

This issue affects all users trying to use Gitpod on private org repos.

Minimal suggested fix The 2 start workspace error messages should be fixed to add the wording below, and link to this issue.

Gitpod cannot access this private repository because it belongs to a GitHub organization which has not granted access to Gitpod OAuth. Pleae see the steps in this issue to fix this.

Scheduled - cc: @geropl

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jldec]

This came up again recently (support link - internal)

[geropl]

@jldec Could we solve this problem by finding an alternative to GitHub Apps? E.g., if we nudge people to use Personal Tokens with the relevant scopes, and use that to write PR status updates/comments and install webhooks? :thinking:

[AlexTugarev]

GitHub orgs now restrict 3rd party application access by default.

I'm pretty sure this is a day one situation with workspace start. The new thing about this was introduced with Projects in Gitpod. We leave a perception that the repository access is granted because it's possible to add the GH App "Gitpod" to the project using the New Project wizard. Unfortunately, the GH App and the GH OAuth App have a distinct accessibility models. The GH Org maintainer needs to approve the GH OAuth App explicitly by following a request.

That's for the problem. Now adding options for a solution:

1. Investigate if it's possible to detect if the GH OAuth App is approved on the org a repo/project belongs to. If this is possible, we'd could nudge the project creator to request approval during the process.
2. Using PAT instead of OAuth tokens selectively per organization/repository.

[detroitcoder]

OK so is this solved or does gitpod not work with github organizations?

[0xjjpa]

For whoever stumbles upon here, this link does work and you just need to scroll down to the organisation you are an admin off and click grant. That solved it for me.

[pcharbon70-leco]

Just to confirm that is still happening and definitely is annoying. Our team is looking to improve our workflow and we are considering Gitpod but when it fails on zero-day without extra steps required it is not a great experience for new customers. In order to discover this solution I had to first create a discord account (which I never wanted to do for personal reason) then post in the #questions channel and finally look at a suggested thread than then led me here. Now I will have to go to our Github administration setup and manually change that access in order to explore Gitpod for our development team.

Quite a few acrobatics in my opinion when someone want to try your product.

Thanks

Pascal Charbonneau IT Manager Leco Industries Inc