Repository creation from a public template is gated by the provider credentials

[Chewie]

Hello!

I'm not sure if this issue is more appropriate for this project or the upstream terraform provider, or even if this isn't a bug and by design in the GitHub API.

My context: I have two different organizations:

• The first organization, A, is unknown by crossplane but contains a public template repository
• The second organization, B, is the one managed by crossplane, in which I'm trying to create a private repository from the public template

The credentials are in the form of a fine-grained PAT of a bot user, with all permissions but scoped to organization B (it happens that this bot user is an owner of both organizations, but as far as I understand this is isn't relevant to the problem).

However, creation of the resource leads to a permission error during the POST /generate on the template: it so happens that the token has no expiration date, and that Organization A has a policy restricting tokens without one, hence the refusal.

Of course, I could change this policy, but the behavior is surprising: why should this action be restricted by the policy of an organization that is, by the point of view of the provider, completely unknown to it? I also fear that even by changing the policy, I'd get a permission problem, since that token is scoped only to B.
Is there a way to have that creation look like an anonymous request from the point of view of A?

Cheers,

[Chewie]

Update: using a Github App for authentication, the problem isn't present anymore. Assuming this is a limitation by design of the Github API, I think I can close the issue. Sorry for the noise!