Good article and agree with the recommendations, I'm trying to understand the attack flow though. You perform an actual installation and get a valid authorization code, but replace the actual installation ID with another (that the user has no access to)?<p>This is a major issue then from GitHub's side. I think what GitHub should do is just like with Oauth apps, allow you to provide a state (assuming the flow is starting from the SaaS app, not from the GitHub marketplace, I assume you can't send a state since it's sort of like an "IdP initiated" flow in case you start the installation from the github marketplace, but they should let you opt out and require a state. There is a reason why things like PKCE and such exist.
One reason we use Amazon's "Code Commit" over any github project is there's no possibility we can click the wrong setting and make our code public.