POST /orgs/{org}/code-security/configurations returns HTTP 500 when secret_scanning_delegated_bypass_options.reviewers is included

[casey-robertson-paypal]

Summary

Creating an organization code security configuration via
POST /orgs/{org}/code-security/configurations returns HTTP 500 (empty body)
when the request includes secret_scanning_delegated_bypass_options.reviewers —
even though the configuration is successfully created. The identical request
without the reviewers block returns 201, and adding the same reviewers via a
follow-up PATCH returns 200. So only the create-with-reviewers path is
affected.

Reproduced against GitHub Enterprise Cloud as of June 2026. (Note: this path
appears to have worked previously, so this may be a regression.)

Expected behavior

POST with valid secret_scanning_delegated_bypass_options.reviewers should
return 201 Created with the configuration body — the same as creating it
without reviewers, or as the equivalent PATCH.

Actual behavior

500 Internal Server Error with an empty response body. The configuration is
nonetheless created server-side, so a client that treats the 500 as a failure
(and retries, as many HTTP clients do for 5xx) then hits
422 "Name has already been taken" on the retry and is left with an orphaned
configuration.

Reproduction

Using a token with admin:org (or fine-grained Administration: write) on the
target org, and a real team in that org:

ORG="your-org"
TOKEN="***"
TEAM_ID=$(gh api -X POST "orgs/$ORG/teams" -H "Authorization: token $TOKEN" -f name="bypass-reviewers" --jq '.id')

# (A) create WITH reviewers -> 500 (but the config is created)
curl -sS -o /dev/null -w "%{http_code}\n" -X POST \
  -H "Authorization: token $TOKEN" -H "Accept: application/vnd.github+json" \
  "https://api.github.com/orgs/$ORG/code-security/configurations" \
  -d "{\"name\":\"repro-with-reviewers\",\"advanced_security\":\"enabled\",\"secret_scanning\":\"enabled\",\"secret_scanning_push_protection\":\"enabled\",\"secret_scanning_delegated_bypass\":\"enabled\",\"secret_scanning_delegated_bypass_options\":{\"reviewers\":[{\"reviewer_id\":$TEAM_ID,\"reviewer_type\":\"TEAM\"}]}}"
# -> 500

# (B) identical request WITHOUT the reviewers block -> 201
curl -sS -o /dev/null -w "%{http_code}\n" -X POST \
  -H "Authorization: token $TOKEN" -H "Accept: application/vnd.github+json" \
  "https://api.github.com/orgs/$ORG/code-security/configurations" \
  -d "{\"name\":\"repro-no-reviewers\",\"advanced_security\":\"enabled\",\"secret_scanning\":\"enabled\",\"secret_scanning_push_protection\":\"enabled\",\"secret_scanning_delegated_bypass\":\"enabled\"}"
# -> 201

# (C) PATCH the (B) config to ADD the same reviewers -> 200
#     (CONFIG_ID from the 201 response of B)
curl -sS -o /dev/null -w "%{http_code}\n" -X PATCH \
  -H "Authorization: token $TOKEN" -H "Accept: application/vnd.github+json" \
  "https://api.github.com/orgs/$ORG/code-security/configurations/CONFIG_ID" \
  -d "{\"secret_scanning_delegated_bypass_options\":{\"reviewers\":[{\"reviewer_id\":$TEAM_ID,\"reviewer_type\":\"TEAM\"}]}}"
# -> 200

Request	Result
Create with delegated_bypass_options.reviewers	500 (empty body) — config still created
Create without reviewers	201 Created
Update (PATCH) to add the same reviewers	200 OK

Impact

Any API client that sends reviewers in the create request hits the 500. Clients
that retry 5xx then get a confusing 422 duplicate-name error plus an orphaned
configuration. The current workaround is to create the configuration first and
set reviewers in a separate PATCH.

Environment

• GitHub Enterprise Cloud, observed June 2026
• X-Github-Api-Version: 2022-11-28
• Reproduced with plain curl (no SDK involved)

[github-actions[bot]]

Thank you for your interest in contributing to our community! We currently only accept discussions created through the GitHub UI using our provided discussion templates. Please re-submit your discussion by navigating to the appropriate category and using the template provided.

This discussion has been closed because it was not submitted through the expected format. If you believe this was a mistake, please reach out to the maintainers.