Dependency probing within the same organization seems to always return 403 forbidden

[DF1229]

Hello, we're trying to setup a (private) repository for a couple PTE's, which both have a dependency on one of our AppSource apps. The AppSource app lives in a seperate (also private) repository, in the same organisation.
The PTE's are usually deployed together, but don't have to be, so we decided to put them in seperate projects in one repository.

Having setup the appDependencyProbingPaths in .github/AL-Go-Settings.json, we are now trying to get the downloading of dependencies to work. Except for the repository URL and AuthTokenSecret we've left all of the probing settings default, so AL-Go is looking for the latest successful CI/CD build. As of writing this build exists and is only 17 hours old.

We're using the new GitHub App Authentication method by setting the ghTokenWorkflow secret for the entire organisation. The app has access to all repositories, and has the permissions as listed in GhTokenWorkflow.md. This method works perfectly fine for our other AL-Go repositories.

However, the Downloading dependencies step of the build job fails because the API returns a 403 Forbidden.
Below is a partly redacted snippet of the log:

Downloading project dependencies from probing paths
  Checking type
  Checking appFolders, testFolders and bcptTestFolders
  Application Dependency 26.0.0.0
  Updating app- and test Dependencies
  Analyzing Test App Dependencies
  No performance test apps found in bcptTestFolders in .AL-Go\settings.json
  Checking appDependencyProbingPaths
  Dependency to projects '*' in https://github.com/<orgname>/<AppSourceAppRepo>@main, version latest, release status latestBuild
  Using secret ghTokenWorkflow for access to repository
  Locating Apps artifacts for projects: *
  Using GitHub App with ClientId <GHAppClientId> for authentication
  Get App Info https://api.github.com/repos/<orgname>/<AppSourceAppRepo>/installation
  Get Token Response https://api.github.com/app/installations/63486302/access_tokens with {"repositories":["<AppSourceAppRepo>"],"permissions":{"metadata":"read","contents":"read"}}
  Finding latest successful CICD run for branch main in repository <orgname>/<AppSourceAppRepo>, checking last 90 days
  - https://api.github.com/repos/<orgname>/<AppSourceAppRepo>/actions/runs?per_page=100&page=1&exclude_pull_requests=true&status=completed&branch=main&created=>2025-01-03T21:37:42.4234163Z
  The remote server returned an error: (403) Forbidden. 

A couple things to note in this log:

• The listed GitHub App Client Id matches the app we created for this
• All <orgname>'s and <AppSourceAppRepo>'s match the expectation
• The listed permissions seem to be incomplete when compared to the permissions granted to the GH app (is this on purpose??)

We have tried various things to get this working:

• Downloading the dependency through the AppSource NuGet feed
  • As of yesterday this returns an older 25.5 version, which breaks the PTE's, and we prefer using the latest build.
• Replacing the org-wide ghTokenWorkflow with a classic PAT
  • Same 403 result (even from an org-wide admin user)
• Using a ghTokenWorkflow from an Azure KeyVault
  • Same 403 result (as expected, but worth a shot)

Are we doing something wrong?

[freddydk]

This is a duplicate of #1616
It seems like there is a problem with github App Authentication with app dependency probing paths - will investigate that.