GitHub App: don't sync repositories that the app doesn't have access to (#12272)

stsewd · web-flow · commit 9afa36f38294 · 2025-07-01T10:36:53.000-05:00
When an app is installed into an organization, GH will send events related to members being added/removed from repositories, even if those repositories weren't granted access to the app.. so when attempting to sync the collaborators from those repositories, there was an error from GH since we don't have access to those. This is mainly a problem with public repos, as for private repos GH will always return a 404 if the app doesn't have access. This isn't breaking anything from our logic, just creating remote repositories we don't need and filling sentry with errors. ref https://read-the-docs.sentry.io/issues/6701666499/events/0ef3cf2bb9554e39bc2dd9b874aef879/events/?project=148442
diff --git a/readthedocs/oauth/services/githubapp.py b/readthedocs/oauth/services/githubapp.py
@@ -249,6 +249,14 @@ def update_or_create_repositories(self, repository_ids: list[int]):
                 # in order for PyGithub to use the API to fetch the repository by ID (not by name).
                 # it needs to be an integer, so just in case we cast it to an integer.
                 repo = self.installation_client.get_repo(int(repository_id))
+
+                # GitHub will send some events from all repositories in the organization (like the members event),
+                # even from those that don't have the app installed. For private repositories, the previous API
+                # call will fail, but for public repositories we can still hit the API successfully, so we make
+                # an additional check using the GitHub App API, which will raise a GithubException with a 404
+                # status code if the app is not installed on the repository.
+                if not repo.private:
+                    self.gh_app_client.get_repo_installation(owner=repo.owner.login, repo=repo.name)
             except GithubException as e:
                 log.info(
                     "Failed to fetch repository from GitHub",
@@ -278,7 +286,7 @@ def _create_or_update_repository_from_gh(
         target_id = self.installation.target_id
         target_type = self.installation.target_type
         # NOTE: All the repositories should be owned by the installation account.
-        # he following condition should never happen, unless the previous assumption is wrong.
+        # The following condition should never happen, unless the previous assumption is wrong.
         if gh_repo.owner.id != target_id or gh_repo.owner.type != target_type:
             log.exception(
                 "Repository owner does not match the installation account",
diff --git a/readthedocs/rtd_tests/tests/test_oauth.py b/readthedocs/rtd_tests/tests/test_oauth.py
@@ -438,6 +438,10 @@ def test_create_repository(self, request):
                 full_name="user/repo", id=4444, owner={"id": int(self.account.uid)}
             ),
         )
+        request.get(
+            f"{self.api_url}/repos/user/repo/installation",
+            json=self._get_installation_json(id=1111),
+        )
         request.get(
             f"{self.api_url}/repos/user/repo/collaborators",
             json=[self._get_collaborator_json()],
@@ -468,6 +472,56 @@ def test_create_repository(self, request):
         assert relation.account == self.account
         assert relation.admin
 
+    @requests_mock.Mocker(kw="request")
+    def test_create_private_repository(self, request):
+        new_repo_id = 4444
+        assert not RemoteRepository.objects.filter(
+            remote_id=new_repo_id, vcs_provider=GitHubAppProvider.id
+        ).exists()
+
+        request.post(
+            f"{self.api_url}/app/installations/1111/access_tokens",
+            json=self._get_access_token_json(),
+        )
+        request.get(
+            f"{self.api_url}/repositories/4444",
+            json=self._get_repository_json(
+                full_name="user/repo",
+                id=4444,
+                owner={"id": int(self.account.uid)},
+                private=True,
+            ),
+        )
+        request.get(
+            f"{self.api_url}/repos/user/repo/collaborators",
+            json=[self._get_collaborator_json()],
+        )
+
+        service = self.installation.service
+        service.update_or_create_repositories([new_repo_id])
+
+        repo = RemoteRepository.objects.get(
+            remote_id=new_repo_id, vcs_provider=GitHubAppProvider.id
+        )
+        assert repo.name == "repo"
+        assert repo.full_name == "user/repo"
+        assert repo.organization is None
+        assert repo.description == "Some description"
+        assert repo.avatar_url == "https://github.com/images/error/octocat_happy.gif"
+        assert repo.ssh_url == "git@github.com:user/repo.git"
+        assert repo.html_url == "https://github.com/user/repo"
+        assert repo.clone_url == "https://github.com/user/repo.git"
+        assert repo.private
+        assert repo.default_branch == "main"
+        assert repo.github_app_installation == self.installation
+
+        relations = repo.remote_repository_relations.all()
+        assert relations.count() == 1
+        relation = relations[0]
+        assert relation.user == self.user
+        assert relation.account == self.account
+        assert relation.admin
+
     @requests_mock.Mocker(kw="request")
     def test_update_repository(self, request):
         assert self.remote_repository.description == "Some description"
@@ -484,6 +538,38 @@ def test_update_repository(self, request):
                 description="New description",
             ),
         )
+        request.get(
+            f"{self.api_url}/repos/user/repo/installation",
+            json=self._get_installation_json(id=1111),
+        )
+        request.get(
+            f"{self.api_url}/repos/user/repo/collaborators",
+            json=[self._get_collaborator_json()],
+        )
+
+        service = self.installation.service
+        service.update_or_create_repositories([int(self.remote_repository.remote_id)])
+
+        self.remote_repository.refresh_from_db()
+        assert self.remote_repository.description == "New description"
+
+    @requests_mock.Mocker(kw="request")
+    def test_update_private_repository(self, request):
+        assert self.remote_repository.description == "Some description"
+        request.post(
+            f"{self.api_url}/app/installations/1111/access_tokens",
+            json=self._get_access_token_json(),
+        )
+        request.get(
+            f"{self.api_url}/repositories/{self.remote_repository.remote_id}",
+            json=self._get_repository_json(
+                full_name="user/repo",
+                id=int(self.remote_repository.remote_id),
+                owner={"id": int(self.account.uid)},
+                description="New description",
+                private=True,
+            ),
+        )
         request.get(
             f"{self.api_url}/repos/user/repo/collaborators",
             json=[self._get_collaborator_json()],
