|
| 1 | +--- |
| 2 | +title: 'Enterprise GitHub Apps: Programmatic Installation and Management Across Organizations' |
| 3 | +author: Josh Johanning |
| 4 | +date: 2025-09-05 14:00:00 -0500 |
| 5 | +description: A comprehensive guide to using Enterprise GitHub Apps to programmatically install and manage applications across all organizations in your GitHub Enterprise |
| 6 | +categories: [GitHub, Apps] |
| 7 | +tags: [GitHub, GitHub Apps, GitHub Enterprise Management] |
| 8 | +media_subpath: /assets/screenshots/2025-09-05-github-enterprise-apps |
| 9 | +image: |
| 10 | + path: enterprise-github-apps-light.png |
| 11 | + width: 100% |
| 12 | + height: 100% |
| 13 | + alt: An Enterprise-owned GitHub App with the capability to install and manage apps across all organizations in the enterprise |
| 14 | +--- |
| 15 | + |
| 16 | +## Overview |
| 17 | + |
| 18 | +GitHub has made enterprise GitHub App management much easier with the [general availability of Enterprise GitHub Apps](https://github.blog/changelog/2025-03-10-enterprise-owned-github-apps-are-now-generally-available/) and [Enterprise-level access for GitHub Apps and installation automation APIs (public preview)](https://github.blog/changelog/2025-07-01-enterprise-level-access-for-github-apps-and-installation-automation-apis/). These capabilities allow enterprise administrators to programmatically install, manage, and audit GitHub Apps across hundreds of organizations without manually clicking through installation screens. This is particularly useful during migration scenarios where you need to programmatically install and configure apps across multiple organizations. |
| 19 | + |
| 20 | +This post shows how to use these new APIs with practical bash examples. |
| 21 | + |
| 22 | +> Check out my [Demystifying GitHub Apps: Using GitHub Apps to Replace Service Accounts](/posts/github-apps/) post if you're interested in learning more about what a GitHub App is! 🚀 |
| 23 | +{: .prompt-info } |
| 24 | + |
| 25 | +## What Are Enterprise GitHub Apps? |
| 26 | + |
| 27 | +With the [March 2025 GA release](https://github.blog/changelog/2025-03-10-enterprise-owned-github-apps-are-now-generally-available/) of enterprise-owned GitHub Apps and the [July 2025 introduction (public preview)](https://github.blog/changelog/2025-07-01-enterprise-level-access-for-github-apps-and-installation-automation-apis/) of enterprise-level access and installation automation APIs, enterprises can now: |
| 28 | + |
| 29 | +- **Install GitHub Apps at the enterprise level** with new enterprise-specific permissions |
| 30 | + - You can now use an App to authenticate to some endpoints at the Enterprise level |
| 31 | + - Previously, Apps could only be installed at org/user level without enterprise API access |
| 32 | + - Note not all enterprise endpoints are available yet (see: [limitations](#current-limitations)) |
| 33 | +- **Programmatically manage app installations** across all organizations in their enterprise, such as: |
| 34 | + - Adding or removing repositories (you could previously do this at the organization level with an [API](https://docs.github.com/en/enterprise-cloud@latest/rest/apps/installations?apiVersion=2022-11-28#add-a-repository-to-an-app-installation), but only with a classic PAT) |
| 35 | + - Toggling from all repositories to selected (a feature that was previously not possible through any API) |
| 36 | +- **Automate GitHub Apps installation** using the [Enterprise-level REST APIs](https://docs.github.com/en/enterprise-cloud@latest/rest/enterprise-admin/organization-installations?apiVersion=2022-11-28) (it wasn't possible to programmatically install an app before!) |
| 37 | +- **Centrally audit and control** which apps are installed and what they can access |
| 38 | + - Previously, if you wanted to get which repositories the app had access to, you had to use an [App's JWT token](https://docs.github.com/en/enterprise-cloud@latest/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#example-using-bash-to-generate-a-jwt) to [query the installation](https://docs.github.com/en/enterprise-cloud@latest/rest/apps/apps?apiVersion=2022-11-28#get-an-organization-installation-for-the-authenticated-app) and using the `repository_selection` property |
| 39 | +- **Automatic permission propagation**: When you update app permissions, all organizations automatically accept the changes without requiring manual approval from each org owner (huge for enterprises with many organizations!) |
| 40 | +- **Transfer existing organization apps**: Organization-owned GitHub Apps can now be transferred to enterprise ownership, allowing you to centralize management of apps that were previously created at the organization level |
| 41 | + |
| 42 | +### Enterprise App Permission Scopes & Capabilities |
| 43 | + |
| 44 | +Here's a list of the scopes available to an Enterprise GitHub App. In this post, we are specifically focusing on how these can be used to manage app installations across your enterprise organizations: |
| 45 | + |
| 46 | +```text |
| 47 | +Enterprise App Installation |
| 48 | +├── Enterprise-level permissions (new) |
| 49 | +│ ├── Enterprise custom properties |
| 50 | +│ ├── Enterprise custom organization roles |
| 51 | +│ ├── ⭐️ Enterprise organization installation repositories |
| 52 | +│ ├── ⭐️ Enterprise organization installations |
| 53 | +│ ├── Enterprise organizations (create and removing enterprise orgs) |
| 54 | +│ ├── Enterprise SSO and SCIM management |
| 55 | +│ ├── Enterprise people (managing user access to the enterprise) |
| 56 | +│ └── Enterprise single sign-on (view and manage SSO information; does not replace setup EMU user) |
| 57 | +└── Organization App installations (Enterprise Apps can now manage) |
| 58 | + ├── Installing/uninstalling the app in an org |
| 59 | + └── Repository access settings (flipping access between all repos to selected repos) |
| 60 | + └── Repository access list (adding/removing repos the app has access to) |
| 61 | +``` |
| 62 | +{: .nolineno} |
| 63 | + |
| 64 | +{: .prompt-tip } |
| 65 | +> You can use an Enterprise-owned GitHub App to install another Enterprise-owned GitHub App into an organization OR an organization-owned GitHub App into an organization. The key difference is that the Enterprise-owned App has enterprise-level permissions and can be managed centrally by enterprise owners. |
| 66 | +
|
| 67 | +## Installation Automation API Examples |
| 68 | + |
| 69 | +Now that we understand what Enterprise GitHub Apps can do, let's look at the automation APIs. These examples show how to manage app installations across your enterprise organizations programmatically. |
| 70 | + |
| 71 | +Before diving into the examples, there are a few important things to know: |
| 72 | + |
| 73 | +- **Prerequisites**: You'll need enterprise owner access (or delegated app manager permissions), and an [Enterprise GitHub App](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-your-enterprise-account/creating-github-apps-for-your-enterprise) with **Enterprise --> "Enterprise organization installations" (write)** permissions (and generate and safeguard the private key). |
| 74 | +- **Authentication**: In my examples, I'm using the [`gh token`](https://github.com/Link-/gh-token) CLI command to generate a token for App authentication. You can also generate your own [JWT](https://docs.github.com/en/enterprise-cloud@latest/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#example-using-bash-to-generate-a-jwt) and [App installation token](https://docs.github.com/en/enterprise-cloud@latest/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app) using your preferred method. |
| 75 | +- **API Documentation**: There are two different sets of API endpoints for Apps, and navigating the documentation can be tricky. We'll be using the **[REST API for managing organization GitHub App installations for Enterprise Administration](https://docs.github.com/en/enterprise-cloud@latest/rest/enterprise-admin/organization-installations?apiVersion=2022-11-28)**, not the regular [REST API endpoints for GitHub Apps](https://docs.github.com/en/enterprise-cloud@latest/rest/apps?apiVersion=2022-11-28) (which are app and org-based, not enterprise). |
| 76 | + |
| 77 | +### Examples (Bash) |
| 78 | + |
| 79 | +```bash |
| 80 | +# Generate token for the enterprise app |
| 81 | +# The --installation-id option can be omitted if the App's first installation was at the enterprise (no orgs) |
| 82 | +# Find the installation ID from address bar when reviewing the app's installation configuration |
| 83 | +token=$(gh token generate --app-id 1891481 --installation-id 84179086 --key /Users/joshjohanning/Downloads/josh-github-enterprise-app.2025-09-03.private-key.pem --token-only) |
| 84 | + |
| 85 | +# Get repositories accessible to an app installed in org |
| 86 | +# This effectively shows which repos the app is installed on |
| 87 | +GH_TOKEN=$token gh api /enterprises/avocado-corp/apps/organizations/joshjohanning-org/installations/45357471/repositories --paginate --jq '.[].full_name' |
| 88 | + |
| 89 | +# Get repositories belonging to an enterprise-owned organization |
| 90 | +# Useful to know WHICH repos are available to install the app on |
| 91 | +# or compare with the previous API to see which repos the app is NOT installed on |
| 92 | +GH_TOKEN=$token gh api /enterprises/avocado-corp/apps/installable_organizations/joshjohanning-org/accessible_repositories --jq '.[].full_name' --paginate |
| 93 | + |
| 94 | +# Flip to "selected repositories" for app installed in org |
| 95 | +# Note this fails with `422` if you select invalid repos |
| 96 | +GH_TOKEN=$token gh api --method PATCH /enterprises/avocado-corp/apps/organizations/joshjohanning-org/installations/45357471/repositories --input - <<< '{ |
| 97 | + "repository_selection": "selected", |
| 98 | + "repositories": [ |
| 99 | + "issueops-samples", |
| 100 | + "reusable-workflows" |
| 101 | + ] |
| 102 | +}' |
| 103 | + |
| 104 | +# Flip back to "all repos" for app installed in org |
| 105 | +GH_TOKEN=$token gh api --method PATCH /enterprises/avocado-corp/apps/organizations/joshjohanning-org/installations/45357471/repositories --input - <<< '{ |
| 106 | + "repository_selection": "all" |
| 107 | +}' |
| 108 | + |
| 109 | +# Uninstall app in an org |
| 110 | +GH_TOKEN=$token gh api --method DELETE /enterprises/avocado-corp/apps/organizations/joshjohanning-org/installations/45357471 |
| 111 | + |
| 112 | +# You need to retrieve the client_id of the app being installed in order to install it |
| 113 | +# The easiest way is to grab the app's client_id from the app's settings page |
| 114 | +# Programmatically: |
| 115 | +# - If the app is public, you can query the client_id with any authentication (including Enterprise GitHub App) |
| 116 | +# - If the app is private, you can query the client_id using the API with your user token with the scopes: |
| 117 | +# $ gh auth login -s read:enterprise or gh auth login -s read:org |
| 118 | +# $ gh api /apps/josh-github-enterprise-app-disc --jq .client_id |
| 119 | + |
| 120 | +# Install app in an org |
| 121 | +# Note it needs client_id and not the app_id |
| 122 | +GH_TOKEN=$token gh api --method POST /enterprises/avocado-corp/apps/organizations/joshjohanning-org/installations -f 'client_id=Iv1.1051aca2d4910a24' -f 'repository_selection=all' |
| 123 | + |
| 124 | +# List all apps and their permissions in an organization |
| 125 | +GH_TOKEN=$token gh api /enterprises/avocado-corp/apps/organizations/joshjohanning-org/installations --paginate |
| 126 | +``` |
| 127 | +{: .nolineno} |
| 128 | + |
| 129 | +## Current Limitations |
| 130 | + |
| 131 | +As of September 2025, there are some limitations to be aware of: |
| 132 | + |
| 133 | +- **Limited permission scope**: Not every permission is available at the Enterprise level yet (like managing Enterprise settings) |
| 134 | +- **Enterprise webhooks**: Enterprise installations cannot subscribe to webhooks yet |
| 135 | +- **Third-party apps**: Enterprises can only install apps owned by the enterprise or organizations within the enterprise |
| 136 | +- **Rate limits**: Enterprise installations have their own 15,000 requests/hour budget - but note each installation still has its own rate limit |
| 137 | +- **Creating apps**: You cannot currently create Apps through the API; I recommend using the [manifest flow](https://docs.github.com/en/apps/sharing-github-apps/registering-a-github-app-from-a-manifest) for codifying the app permissions and creation process through the UI |
| 138 | + |
| 139 | +{: .prompt-info } |
| 140 | +> Keep an eye on the [GitHub roadmap](https://github.com/orgs/github/projects/4247) and [changelog](https://github.blog/changelog/2025/?label=enterprise-management-tools) for updates on enterprise GitHub App capabilities. |
| 141 | +
|
| 142 | +## Summary |
| 143 | + |
| 144 | +[Enterprise-owned GitHub Apps](https://github.blog/changelog/2025-03-10-enterprise-owned-github-apps-are-now-generally-available/) (GA March 2025) and the [Enterprise-level installation automation APIs](https://github.blog/changelog/2025-07-01-enterprise-level-access-for-github-apps-and-installation-automation-apis) (public preview July 2025) solve the manual pain of managing apps across many organizations. The key benefit is eliminating the need to click through installation screens for every org, plus automatic permission propagation when you update app settings. |
| 145 | + |
| 146 | +The bash examples above demonstrate the core operations: install, uninstall, change repository access, and audit existing installations. These [Enterprise-level GitHub App management APIs](https://docs.github.com/en/enterprise-cloud@latest/rest/enterprise-admin/organization-installations?apiVersion=2022-11-28) are particularly valuable during migrations or when you need to deploy security/compliance apps enterprise-wide. |
| 147 | + |
| 148 | +Happy automating! 🔑 🚀 |
0 commit comments