The Organizations integration test creates a new enterprise organization under the msx enterprise and then attempts to install the GitHub App on it. The Install-GitHubApp call returns a 404, which cascades into failures for all subsequent tests that depend on the app installation context (connecting to the org, updating via org context, removing via org context).
Observed in run 25260449736, auth case "GitHub App from an Enterprise using JWT + IAT on enterprise account":
Error: [-] Install-GitHubApp - Installs a GitHub App to an organization 2.87s
URI: https://api.github.com/enterprises/msx/apps/organizations/Organizations-Linux-25260449736/installations
Status: 404 (Not Found)
x-accepted-github-permissions: enterprise_organization_installations=write
Cascading failures
The 404 causes four consecutive test failures:
Install-GitHubApp — 404 from the enterprise endpointConnect-GitHubApp — $orgContext is null because the app was never installedUpdate-GitHubOrganization (org installation) — cannot connect because there is no org installationRemove-GitHubOrganization (org installation) — same cascading failure
Request
Investigation results
No organization name mismatch. Both the creation and installation calls use the same $orgName variable (Organizations-{OS}-{RunID}). The org is created via New-GitHubOrganization -Enterprise 'msx' -Name $orgName and installed via Install-GitHubApp -Enterprise $owner -Organization $orgName where $owner = 'msx'. The naming is consistent throughout the test.
Missing permission identified. The response header x-accepted-github-permissions: enterprise_organization_installations=write indicates the endpoint requires the enterprise_organization_installations permission. The enterprise installation access token (IAT) context shows its permissions as {enterprise_custom_properties, enterprise_ai_controls, enterprise_copilot_metrics, enterprise_credentials…} — the truncated list does not appear to include enterprise_organization_installations. GitHub returns 404 (rather than 403) when the token lacks the required permission, which is standard behavior to avoid revealing resource existence.
Alternatively, propagation delay. A secondary possibility is that the freshly-created enterprise organization has not yet propagated to the enterprise apps endpoint. If the permission is confirmed present, a small retry delay between org creation and app installation should be tested.
Acceptance criteria
- The
Install-GitHubApp test passes for the enterprise auth case
- All downstream tests (
Connect-GitHubApp, Update-GitHubOrganization, Remove-GitHubOrganization via org installation) pass as a result
- The enterprise app's required permissions are documented in
tests.instructions.md
Technical decisions
Root cause — permission configuration: The psmodule-enterprise-app GitHub App (ClientID: Iv23lieHcDQDwVV3alK1, homed in the msx enterprise) needs the enterprise_organization_installations permission set to write. This is configured in the app's settings on GitHub, not in code.
Verification approach: List the full permissions of the enterprise IAT by expanding the context output (the … truncation in the log hides whether the permission is present). If the permission is absent, add it to the app settings. If present, investigate propagation delay and add a retry.
Test ordering is correct: The test intentionally runs Update-GitHubOrganization and Remove-GitHubOrganization with Should -Throw before Install-GitHubApp. These expect to fail because the enterprise IAT lacks organization_administration=write on the newly created org (by design — the point is to show that org-level operations require an org-level installation). The Install-GitHubApp test then installs the app to get an org-level IAT for the remaining tests.
No code change required (if permission is the cause): The fix is to update the GitHub App configuration on the msx enterprise to include enterprise_organization_installations: write.
Implementation plan
Investigation
Fix
Documentation
The Organizations integration test creates a new enterprise organization under the
msxenterprise and then attempts to install the GitHub App on it. TheInstall-GitHubAppcall returns a 404, which cascades into failures for all subsequent tests that depend on the app installation context (connecting to the org, updating via org context, removing via org context).Observed in run 25260449736, auth case "GitHub App from an Enterprise using JWT + IAT on enterprise account":
Cascading failures
The 404 causes four consecutive test failures:
Install-GitHubApp— 404 from the enterprise endpointConnect-GitHubApp—$orgContextis null because the app was never installedUpdate-GitHubOrganization(org installation) — cannot connect because there is no org installationRemove-GitHubOrganization(org installation) — same cascading failureRequest
Investigation results
No organization name mismatch. Both the creation and installation calls use the same
$orgNamevariable (Organizations-{OS}-{RunID}). The org is created viaNew-GitHubOrganization -Enterprise 'msx' -Name $orgNameand installed viaInstall-GitHubApp -Enterprise $owner -Organization $orgNamewhere$owner = 'msx'. The naming is consistent throughout the test.Missing permission identified. The response header
x-accepted-github-permissions: enterprise_organization_installations=writeindicates the endpoint requires theenterprise_organization_installationspermission. The enterprise installation access token (IAT) context shows its permissions as{enterprise_custom_properties, enterprise_ai_controls, enterprise_copilot_metrics, enterprise_credentials…}— the truncated list does not appear to includeenterprise_organization_installations. GitHub returns 404 (rather than 403) when the token lacks the required permission, which is standard behavior to avoid revealing resource existence.Alternatively, propagation delay. A secondary possibility is that the freshly-created enterprise organization has not yet propagated to the enterprise apps endpoint. If the permission is confirmed present, a small retry delay between org creation and app installation should be tested.
Acceptance criteria
Install-GitHubApptest passes for the enterprise auth caseConnect-GitHubApp,Update-GitHubOrganization,Remove-GitHubOrganizationvia org installation) pass as a resulttests.instructions.mdTechnical decisions
Root cause — permission configuration: The
psmodule-enterprise-appGitHub App (ClientID:Iv23lieHcDQDwVV3alK1, homed in themsxenterprise) needs theenterprise_organization_installationspermission set towrite. This is configured in the app's settings on GitHub, not in code.Verification approach: List the full permissions of the enterprise IAT by expanding the context output (the
…truncation in the log hides whether the permission is present). If the permission is absent, add it to the app settings. If present, investigate propagation delay and add a retry.Test ordering is correct: The test intentionally runs
Update-GitHubOrganizationandRemove-GitHubOrganizationwithShould -ThrowbeforeInstall-GitHubApp. These expect to fail because the enterprise IAT lacksorganization_administration=writeon the newly created org (by design — the point is to show that org-level operations require an org-level installation). TheInstall-GitHubApptest then installs the app to get an org-level IAT for the remaining tests.No code change required (if permission is the cause): The fix is to update the GitHub App configuration on the
msxenterprise to includeenterprise_organization_installations: write.Implementation plan
Investigation
enterprise_organization_installationsis present in the enterprise app permissions by checking the app settings athttps://github.com/enterprises/msx/settings/appsor by querying the APIFix
enterprise_organization_installations: writepermission to thepsmodule-enterprise-appin themsxenterprise settingsNew-GitHubOrganizationandInstall-GitHubAppinOrganizations.Tests.ps1to handle propagation delayOrganizations.Tests.ps1to confirm all 4 cascading tests passDocumentation
tests.instructions.mdunder the APP_ENT sectionenterprise_organization_installations: writeis needed for the Organizations test enterprise flow