Cannot assign GitHub team to reviews

[yoshi-koyama]

Describe the bug
I know this is a duplicate Issue, but I would like to discuss it with you.

The issues:

• Can I use auto-assign bot with Github teams? #102
• Cannot configure teams (despite following guide) #138

I am unable to assign GitHub team to reviewers.

To Reproduce
I have been experimenting with this repository.
https://github.com/reytech-co-jp/auto-assign-test

Steps to reproduce the behavior:

1. Create Organization and a team.

3. Create a repository.

5. Configure auto-assign and enable auto-assign to access the repository
   https://github.com/apps/auto-assign

7. Create ./.github/auto_assign.yml in the repository
   https://github.com/reytech-co-jp/auto-assign-test/blob/main/.github/auto_assign.yml

8. Invite the Team to join the Collaborator with Read access

9. Make a pull request and see no reviewers assigned
   https://github.com/reytech-co-jp/auto-assign-test/pull/18

Expected behavior
I want the team to be assigned as reviewers.

Desktop (please complete the following information):

• macOS
• Chrome

Workaround

I have also considered GitHub's Code Review feature, but it is not available because I need to assign more than 3 people.
https://docs.github.com/en/[email protected]/organizations/organizing-members-into-teams/managing-code-review-settings-for-your-team

Research

It seems necessary to change the permission settings as mentioned in this Issue.
#138 (comment)

I suspect that a team with me can't be assigned to reviewers when I make a Pull Request.

Your help would be greatly appreciated.
Thank you in advance.

[kentaro-m]

@yoshi-koyama

Thank you for reporting the Issue.

I would like to share my understanding and thoughts on this Issue.
Please let me know your opinion.

Current Status

The Team Assign feature works as code but is not enabled in the hosted app. To enable this feature, the developer (me) needs to add permissions to the app.

After that, the app user needs to give permission for the permission addition. This will be notified to all users of the app.

Alternatives

One way to enable the team assign feature is to self-host the app.

My thoughts

The reason I am not willing to add permissions is that the cost of running an app securely is high.

Security best practices for apps - GitHub Docs
https://docs.github.com/en/developers/github-marketplace/creating-apps-for-github-marketplace/security-best-practices-for-apps

The apps I submit to the marketplace are hosted and managed by me. I patch my apps regularly to keep them secure. I also keep permissions to a minimum.

Additional permissions are required to enable the team assignment feature, but it allows the app to access more data.

It would be an unnecessary permission addition for users who do not want the team assignment feature. And with more data to handle, I will need to operate the app more carefully.

It also provides a way to activate the feature in the self-hosting of the app.

For those reasons, I haven't done that so far.

I have not thoroughly investigated the risk of adding permissions, and I think that is something we should look into.
I also believe that documentation support for this issue is needed.

[koyama-yoshihito]

Thank you for your reply!

As you said, it seems to cost a lot that you enable this feature, and I understand that it does not fully follow Security best practices for apps.
https://docs.github.com/en/developers/github-marketplace/creating-apps-for-github-marketplace/security-best-practices-for-apps

Apps should use the principle of least privilege and should only request the OAuth scopes and GitHub App permissions that the app needs to perform its intended functionality.

And,

I also believe that documentation support for this issue is needed.

I agree with you. It would be very appreciated if you can document it.

Now that my questions have been answered, you can close this issue.
Thank you for your sincere support.

[koyama-yoshihito]

I created a pull request to modify README.md!
#209
I hope I can get a feedback from you :)