PSModule · MariusStorhaug · Sep 15, 2025 · Sep 12, 2025 · Sep 12, 2025 · Sep 12, 2025
@@ -36,7 +36,7 @@
     [System.Nullable[datetime]] $UpdatedAt
 
     # The permissions that the app is requesting.
-    [pscustomobject] $Permissions
+    [GitHubPermission[]] $Permissions
 
     # The events that the app is subscribing to on its target.
     [string[]] $Events
@@ -59,7 +59,7 @@
         $this.Url = $Object.html_url
         $this.CreatedAt = $Object.created_at
         $this.UpdatedAt = $Object.updated_at
-        $this.Permissions = $Object.permissions
+        $this.Permissions = [GitHubPermission]::NewPermissionList($Object.permissions)
         $this.Events = , ($Object.events)
         $this.Installations = $Object.installations_count
     }

@@ -15,7 +15,7 @@
     [string] $RepositorySelection
 
     # The permissions that the app has on the target.
-    [pscustomobject] $Permissions
+    [GitHubPermission[]] $Permissions
 
     # The events that the app is subscribing to.
     [string[]] $Events
@@ -41,6 +41,9 @@
     # The URL to the target's profile based on the target type.
     [string] $Url
 
+    # The status indicating if the installation permissions and events match the app's configuration.
+    [string] $Status
+
     GitHubAppInstallation() {}
 
     GitHubAppInstallation([PSCustomObject] $Object) {
@@ -55,14 +58,32 @@
         $this.Target = [GitHubOwner]::new($Object.account)
         $this.Type = $Object.target_type
         $this.RepositorySelection = $Object.repository_selection
-        $this.Permissions = $Object.permissions
+        $this.Permissions = [GitHubPermission]::NewPermissionList($Object.permissions, $this.Type)
+        $this.Events = , ($Object.events)
+        $this.FilePaths = $Object.single_file_paths
+        $this.CreatedAt = $Object.created_at
+        $this.UpdatedAt = $Object.updated_at
+        $this.SuspendedAt = $Object.suspended_at
+        $this.SuspendedBy = [GitHubUser]::new($Object.suspended_by)
+        $this.Url = $Object.html_url
+        $this.Status = 'Unknown'
+    }
+
+    GitHubAppInstallation([PSCustomObject] $Object, [GitHubApp] $App) {
+        $this.ID = $Object.id
+        $this.App = $App
+        $this.Target = [GitHubOwner]::new($Object.account)
+        $this.Type = $Object.target_type
+        $this.RepositorySelection = $Object.repository_selection
+        $this.Permissions = [GitHubPermission]::NewPermissionList($Object.permissions, $this.Type)
         $this.Events = , ($Object.events)
         $this.FilePaths = $Object.single_file_paths
         $this.CreatedAt = $Object.created_at
         $this.UpdatedAt = $Object.updated_at
         $this.SuspendedAt = $Object.suspended_at
         $this.SuspendedBy = [GitHubUser]::new($Object.suspended_by)
         $this.Url = $Object.html_url
+        $this.UpdateStatus()
     }
 
     GitHubAppInstallation([PSCustomObject] $Object, [string] $Target, [string] $Type, [GitHubContext] $Context) {
@@ -81,13 +102,95 @@
         }
         $this.Type = $Type
         $this.RepositorySelection = $Object.repository_selection
-        $this.Permissions = $Object.permissions
+        $this.Permissions = [GitHubPermission]::NewPermissionList($Object.permissions, $this.Type)
+        $this.Events = , ($Object.events)
+        $this.FilePaths = $Object.single_file_paths
+        $this.CreatedAt = $Object.created_at
+        $this.UpdatedAt = $Object.updated_at
+        $this.SuspendedAt = $Object.suspended_at
+        $this.SuspendedBy = [GitHubUser]::new($Object.suspended_by)
+        $this.Url = "https://$($Context.HostName)/$($Type.ToLower())s/$Target/settings/installations/$($Object.id)"
+        $this.Status = 'Unknown'
+    }
+
+    GitHubAppInstallation([PSCustomObject] $Object, [string] $Target, [string] $Type, [GitHubContext] $Context, [GitHubApp] $App) {
+        $this.ID = $Object.id
+        $this.App = $App
+        $this.Target = [GitHubOwner]@{
+            Name = $Target
+            Type = $Type
+            Url  = "https://$($Context.HostName)/$Target"
+        }
+        $this.Type = $Type
+        $this.RepositorySelection = $Object.repository_selection
+        $this.Permissions = [GitHubPermission]::NewPermissionList($Object.permissions, $this.Type)
         $this.Events = , ($Object.events)
         $this.FilePaths = $Object.single_file_paths
         $this.CreatedAt = $Object.created_at
         $this.UpdatedAt = $Object.updated_at
         $this.SuspendedAt = $Object.suspended_at
         $this.SuspendedBy = [GitHubUser]::new($Object.suspended_by)
         $this.Url = "https://$($Context.HostName)/$($Type.ToLower())s/$Target/settings/installations/$($Object.id)"
+        $this.UpdateStatus()
+    }
+
+    # Updates the Status property by comparing installation permissions with app permissions
+    # filtered by the appropriate scope based on installation type
+    [void] UpdateStatus() {
+        if (-not $this.App -or -not $this.App.Permissions) {
+            $this.Status = 'Unknown'
+            return
+        }
+
+        # Get app permissions filtered by installation type scope
+        $appPermissionsFiltered = switch ($this.Type) {
+            'Enterprise' {
+                $this.App.Permissions | Where-Object { $_.Scope -eq 'Enterprise' }
+            }
+            'Organization' {
+                $this.App.Permissions | Where-Object { $_.Scope -in @('Organization', 'Repository') }
+            }
+            'User' {
+                $this.App.Permissions | Where-Object { $_.Scope -in @('Repository') }
+            }
+            default {
+                $this.App.Permissions
+            }
+        }
+
+        # Compare permissions by creating lookup dictionaries
+        $appPermissionLookup = @{}
+        foreach ($perm in $appPermissionsFiltered) {
+            $appPermissionLookup[$perm.Name] = $perm.Value
+        }
+
+        $installationPermissionLookup = @{}
+        foreach ($perm in $this.Permissions) {
+            $installationPermissionLookup[$perm.Name] = $perm.Value
+        }
+
+        # Check if permissions match
+        $permissionsMatch = $true
+
+        # Check if all app permissions exist in installation with same values
+        foreach ($name in $appPermissionLookup.Keys) {
+            if (-not $installationPermissionLookup.ContainsKey($name) -or
+                $installationPermissionLookup[$name] -ne $appPermissionLookup[$name]) {
+                $permissionsMatch = $false
+                break
+            }
+        }
+
+        # Check if installation has any extra permissions not in the app
+        if ($permissionsMatch) {
+            foreach ($name in $installationPermissionLookup.Keys) {
+                if (-not $appPermissionLookup.ContainsKey($name)) {
+                    $permissionsMatch = $false
+                    break
+                }
+            }
+        }
+
+        $this.Status = $permissionsMatch ? 'Ok' : 'Outdated'
     }
 }
@@ -15,7 +15,7 @@
     [string] $OwnerType
 
     # The permissions that the app is requesting on the target
-    [pscustomobject] $Permissions
+    [GitHubPermission[]] $Permissions
 
     # The events that the app is subscribing to once installed
     [string[]] $Events
@@ -47,7 +47,7 @@
         $this.KeyVaultKeyReference = $Object.KeyVaultKeyReference
         $this.OwnerName = $Object.OwnerName
         $this.OwnerType = $Object.OwnerType
-        $this.Permissions = $Object.Permissions
+        $this.Permissions = [GitHubPermission]::NewPermissionList($Object.Permissions)
         $this.Events = $Object.Events
     }
 }
@@ -6,7 +6,7 @@
     [System.Nullable[uint64]] $InstallationID
 
     # The permissions that the app is requesting on the target
-    [pscustomobject] $Permissions
+    [GitHubPermission[]] $Permissions
 
     # The events that the app is subscribing to once installed
     [string[]] $Events
@@ -41,7 +41,7 @@
         $this.PerPage = $Object.PerPage
         $this.ClientID = $Object.ClientID
         $this.InstallationID = $Object.InstallationID
-        $this.Permissions = $Object.Permissions
+        $this.Permissions = [GitHubPermission]::NewPermissionList($Object.Permissions, $Object.InstallationType)
         $this.Events = $Object.Events
         $this.InstallationType = $Object.InstallationType
         $this.InstallationName = $Object.InstallationName