Why might a Forge product-trigger app not install in production?

We have two Atlassian Sites:

  1. Production Atlassian Site with premium JSM and JS.
  2. Sandbox Site of above Site, with data copied down.

Installing personal Forge apps with permission scopes has worked so far on both instances, except for the product-trigger type with the (required) read:jira-work scope on the Production Site.

Creating a product-trigger app, deploying to production, and installing it on the Sandbox Site works perfectly fine. But attempting to install it on the Production Site will fail.

To test this, I created a blank Forge app called SampleTrigger. It went like this:

  1. Log in to CLI with Org Admin credentials → source myenv.sh

  2. Create new app → forge create SampleTrigger

  3. Select template “product-trigger”

  4. Add required permissions → forge lint --fix (this will add read:jira-work)

  5. Deploy app to production → forge deploy -e production

  6. Install on Sandbox → forge install -e production → Select Jira, enter Sandbox URL.

  7. Test it works in Sandbox by viewing logs —> It works.

  8. Install on Prod → forge install -e production --verbose → Select Jira, enter Prod URL.
    At this point, the Production installation will attempt for several minutes before eventually failing. No error info is provided, just a response that the installation failed with “Error: InstallationRequestFailedError”.

  9. As an additional attempt, I tried turning on sharing for the Forge in order to install it on the instance via URL. The result was the same (long running install process followed by failure).

In both Production Site install attempts, the Forge app can show as installed in Jira under the “Manage apps” section for up to 20 minutes or so before eventually disappearing.
I can see that the process correctly created a user account named “SampleTrigger” that has product access to JSM, JS, and JWM on the Production Site.

It appears the problems comes from the “read:jira-work” scope permissions.
If I attempt to make a different app (such as a scheduled-trigger) it will install on the Production Site just fine. However, if I add the “read:jira-work” scope it will no longer install (with the same problem as the product-trigger app described above). And I do not believe it is possible to create a product-trigger Forge app without the “read:jira-work” scope permission.

So potentially, a different way to phrase the question in the title is “why does an app with the read:jira-work scope install correctly on a Sandbox Site but not a Production Site”?
We have Jira Service Management Premium and Jira Software Premium, but could it be caused by only having the Standard edition of Jira Work Management?