How to check a GitHub App installation can read/write a repo

[vit-zikmund]

Select Topic Area

Question

Body

Hello,
I'm searching for a way to identify a certain token holder (I have the token) can write, read or neither of that to a particular repo.

With a user-bound personal access token (PAT) I can identify the user with /user and use the login in /repos/{owner}/{repo}/collaborators/{username}/permission endpoint to see a username's repo permission to know what they can do to the git content.

However, I can't seem to find a way to do that for a GitHub App installation (acting on behalf of the app itself). This identity is represented by a token with the ghs_ prefix and (obviously) obeys a slightly different semantics.

In the set of accessible endpoints I see I can list all repos this installation can operate on with /installation/repositories, but this is further restricted by fine-grained permissions requested by the app (and later confirmed by the org owner). When the token has the Organization Administration read permission, it can use /orgs/{org}/installations, which contains the accepted permissions, but for all installations on the org, not just the one tied with the token. That's the last tiny piece of the puzzle I'm missing.

Would anyone have a clue?

Also all these listings are pretty heavy on the output, while I only need a tiny subset of the fields. I wouldn't mind using GraphQL for those queries, but I haven't found anything even remotely related in the GraphQL docs 😮

Thanks for your help!