Troubleshooting

GitHub Permissions

Troubleshooting GitHub permission issues with FlagShark.

4 min readLast updated: May 22, 2026

FlagShark has two separate components that interact with GitHub, and they have different permission models. Understanding which component you're configuring prevents over-granting permissions.

Permission Models

GitHub Action (CI, no account required)

The FlagShark GitHub Action runs in your CI pipeline and uses the built-in GITHUB_TOKEN. Add these two permissions to your workflow permissions: block — nothing more is needed:

Permission	Level	Purpose
`contents`	Read	Check out the repository and read files for flag scanning
`pull-requests`	Write	Post the flag summary comment on the PR

Example workflow configuration:

permissions:
  contents: read
  pull-requests: write

The Action does not need Issues write or Contents write. It does not create branches or call the Issues API.

FlagShark GitHub App (SaaS)

The FlagShark GitHub App is installed via the dashboard and powers the SaaS features: automatic PR analysis, cleanup PR generation, and comment management. It requires a broader set of permissions:

Permission	Level	Purpose
`contents`	Read & Write	Read file contents and git history; create cleanup branches and commits
`pull-requests`	Write	Read PR diffs and file lists; open automated cleanup PRs
`issues`	Write	Post and update comments on PRs (GitHub routes PR comments through the Issues API)
`metadata`	Read	Access repository information

FlagShark follows the principle of least privilege. The Action only requests two permissions. The App requests broader access only because cleanup PR creation requires writing commits and branches via the Git Data API.

Common Permission Issues

Can't Install on Organization

Symptoms: Installation fails or shows "You don't have permission to install this app."

Causes:

You're not an organization owner or admin
Organization has restricted app installations
Third-party app access is disabled

Solutions:

Check your role: You need Owner or Admin role on the organization

Request installation: Non-admins can request the app be installed

Contact org admin: Ask them to approve or install FlagShark

For Organization Owners:

Go to Organization Settings > Third-party access

Ensure GitHub Apps can be installed

Check for pending installation requests

Approve FlagShark if it's pending

App Installed But No Repository Access

Symptoms: FlagShark is installed but can't see your repositories.

Causes:

App only has access to selected repositories
Your repository isn't in the selection
Repository is private and access wasn't granted

Solutions:

Go to GitHub > Settings > Applications (or Organization Settings > GitHub Apps)

Find FlagShark and click "Configure"

Under "Repository access", choose:

Save changes

Can't Post PR Comments

Symptoms: FlagShark detects flags but doesn't post comments on PRs.

Causes:

Missing Issues write permission (the GitHub App posts PR comments through the Issues API)
Organization policy blocking comments
Rate limiting

Check permissions:

Go to the repository > Settings > Integrations

Find FlagShark in the list

Verify it shows "Issues: Read and write"

If permission is missing:

Go to GitHub > Settings > Applications

Find FlagShark > Configure

Review permissions — they should include Issues (read & write)

If permissions have changed, you may need to re-approve

Action Not Posting Comments

Symptoms: The GitHub Action runs but no PR comment appears.

Cause: The workflow permissions: block is missing pull-requests: write.

Fix: Add the permissions block to your workflow:

permissions:
  contents: read
  pull-requests: write

The Action does not use the Issues API and does not need issues: write.

Webhooks Not Being Received

Symptoms: Nothing happens when you open or update PRs.

Causes:

Webhook not properly configured
Webhook delivery failing
Repository removed from app access

Check webhook status:

Go to Repository > Settings > Webhooks

Find the FlagShark webhook

Check "Recent Deliveries" for success/failure

Look at response codes and messages

Common webhook errors:

Error	Meaning	Solution
No webhook listed	App not installed properly	Reinstall FlagShark
401 Unauthorized	Authentication issue	Reinstall the app
403 Forbidden	Permission denied	Check app permissions
404 Not Found	Endpoint issue	Contact FlagShark support
No recent deliveries	Webhooks not triggering	Check app is still installed

Can't Read Repository Contents

Symptoms: FlagShark can't analyze PRs, shows "access denied" errors.

Causes:

Missing Contents read permission
Repository is private and not accessible
Branch protection blocking access

Solutions:

Verify FlagShark has Contents read permission
Ensure the repository is included in app access
Check if branch protection rules affect API access

Organization Policies

SAML SSO

If your organization uses SAML SSO:

Go to your personal GitHub settings > Applications

Find FlagShark

Click "Enable SSO" for your organization

Complete the SSO authentication

You may need to re-enable SSO after each GitHub session, depending on your organization's SSO settings.

Third-Party Access Restrictions

Some organizations restrict third-party app access:

Go to Organization > Settings > Third-party access

Check if third-party apps are restricted

If restricted, an admin must approve FlagShark

Look for FlagShark in pending requests

IP Allow Lists

If your organization uses IP allow lists:

FlagShark needs to be able to reach GitHub's API
Contact FlagShark support for our IP ranges if needed

Reinstalling FlagShark

If permissions are corrupted, a clean reinstall often helps:

Wait a moment: Give GitHub time to clean up

Reinstall:

Go to FlagShark dashboard
Click "Add Repository" or "Install GitHub App"
Follow the installation flow
Select repositories to grant access

Verify: Create a test PR with a flag to confirm detection works

Troubleshooting

GitHub Permissions

Troubleshooting GitHub permission issues with FlagShark.

4 min readLast updated: May 22, 2026

FlagShark has two separate components that interact with GitHub, and they have different permission models. Understanding which component you're configuring prevents over-granting permissions.

Permission Models

GitHub Action (CI, no account required)

The FlagShark GitHub Action runs in your CI pipeline and uses the built-in GITHUB_TOKEN. Add these two permissions to your workflow permissions: block — nothing more is needed:

Permission	Level	Purpose
`contents`	Read	Check out the repository and read files for flag scanning
`pull-requests`	Write	Post the flag summary comment on the PR

Example workflow configuration:

permissions:
  contents: read
  pull-requests: write

The Action does not need Issues write or Contents write. It does not create branches or call the Issues API.

FlagShark GitHub App (SaaS)

The FlagShark GitHub App is installed via the dashboard and powers the SaaS features: automatic PR analysis, cleanup PR generation, and comment management. It requires a broader set of permissions:

Permission	Level	Purpose
`contents`	Read & Write	Read file contents and git history; create cleanup branches and commits
`pull-requests`	Write	Read PR diffs and file lists; open automated cleanup PRs
`issues`	Write	Post and update comments on PRs (GitHub routes PR comments through the Issues API)
`metadata`	Read	Access repository information

Common Permission Issues

Can't Install on Organization

Symptoms: Installation fails or shows "You don't have permission to install this app."

Causes:

You're not an organization owner or admin
Organization has restricted app installations
Third-party app access is disabled

Solutions:

Check your role: You need Owner or Admin role on the organization

Request installation: Non-admins can request the app be installed

Contact org admin: Ask them to approve or install FlagShark

For Organization Owners:

Go to Organization Settings > Third-party access

Ensure GitHub Apps can be installed

Check for pending installation requests

Approve FlagShark if it's pending

App Installed But No Repository Access

Symptoms: FlagShark is installed but can't see your repositories.

Causes:

App only has access to selected repositories
Your repository isn't in the selection
Repository is private and access wasn't granted

Solutions:

Go to GitHub > Settings > Applications (or Organization Settings > GitHub Apps)

Find FlagShark and click "Configure"

Under "Repository access", choose:

Save changes

Can't Post PR Comments

Symptoms: FlagShark detects flags but doesn't post comments on PRs.

Causes:

Missing Issues write permission (the GitHub App posts PR comments through the Issues API)
Organization policy blocking comments
Rate limiting

Check permissions:

Go to the repository > Settings > Integrations

Find FlagShark in the list

Verify it shows "Issues: Read and write"

If permission is missing:

Go to GitHub > Settings > Applications

Find FlagShark > Configure

Review permissions — they should include Issues (read & write)

If permissions have changed, you may need to re-approve

Action Not Posting Comments

Symptoms: The GitHub Action runs but no PR comment appears.

Cause: The workflow permissions: block is missing pull-requests: write.

Fix: Add the permissions block to your workflow:

permissions:
  contents: read
  pull-requests: write

The Action does not use the Issues API and does not need issues: write.

Webhooks Not Being Received

Symptoms: Nothing happens when you open or update PRs.

Causes:

Webhook not properly configured
Webhook delivery failing
Repository removed from app access

Check webhook status:

Go to Repository > Settings > Webhooks

Find the FlagShark webhook

Check "Recent Deliveries" for success/failure

Look at response codes and messages

Common webhook errors:

Error	Meaning	Solution
No webhook listed	App not installed properly	Reinstall FlagShark
401 Unauthorized	Authentication issue	Reinstall the app
403 Forbidden	Permission denied	Check app permissions
404 Not Found	Endpoint issue	Contact FlagShark support
No recent deliveries	Webhooks not triggering	Check app is still installed

Can't Read Repository Contents

Symptoms: FlagShark can't analyze PRs, shows "access denied" errors.

Causes:

Missing Contents read permission
Repository is private and not accessible
Branch protection blocking access

Solutions:

Verify FlagShark has Contents read permission
Ensure the repository is included in app access
Check if branch protection rules affect API access

Organization Policies

SAML SSO

If your organization uses SAML SSO:

Go to your personal GitHub settings > Applications

Find FlagShark

Click "Enable SSO" for your organization

Complete the SSO authentication

You may need to re-enable SSO after each GitHub session, depending on your organization's SSO settings.

Third-Party Access Restrictions

Some organizations restrict third-party app access:

Go to Organization > Settings > Third-party access

Check if third-party apps are restricted

If restricted, an admin must approve FlagShark

Look for FlagShark in pending requests

IP Allow Lists

If your organization uses IP allow lists:

FlagShark needs to be able to reach GitHub's API
Contact FlagShark support for our IP ranges if needed

Reinstalling FlagShark

If permissions are corrupted, a clean reinstall often helps:

Wait a moment: Give GitHub time to clean up

Reinstall:

Go to FlagShark dashboard
Click "Add Repository" or "Install GitHub App"
Follow the installation flow
Select repositories to grant access

Verify: Create a test PR with a flag to confirm detection works