feat(github): GitHub App installation support #169
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There is this special kind of GitHub access tokens which belong to the GitHub App installation (GitHub App installed in your GitHub organization, doing stuff on it's own behalf, like various bots). Compared to the more usual Personal Access Tokens, these tokens have entirely different way of managing their permissions and getting them from the GitHub API. This set of changes introduces support for those tokens, which in turn led to a couple of new design decisions and some refactoring, splitting the original GithubIdentity into two subclasses, each dealing with their own authentication/authorization scheme, while still leveraging the common caching capabilities, now factored out to the parent class. Each of the subclasses has an 'authenticate' class method, which creates an instance of the particular class, when properly authenticated against the GitHub API. This identity is then paired with its access token in a cache for later reuse. In turn, the instance has a private '_authorize' method which provides means for obtaining the targeted org/repo permissons. These permissions are supposed to be stored in a per-identity cache via the call to '_set_permissions'. Due to the nature of the permission discovery for the new GitHub App installations, multiple repo permissions (of a single org) can be cached in a single repo. Also, when this identity has access to all organization repos, a special org/None permission is used to cover them all as a single entry. There's also a slightly unrelated addition, which is a configurable request timeout for the GitHub API calls, starting with some rather benevolent defaults. This should bring more stability to the module, as potentially hanging requests to the API won't hog the threads forever. Here are some more important milestones in this squash: * feat(github): extract username from the Basic authorization header To be eventually used to identify an application id with an "app installation" github token. * chore(github): move request session management under CallContext This is needed for further design improvements where GithubIdentity objects will be able to call their specific GitHub API calls. * chore(github): move CallContext to the module scope to hold a requests session * feat(github): support GitHub App installation tokens * chore(github): provide unit tests for GithubAppIdentity * feat(github): use a timeout for GitHub API calls * docs(github): GitHub App installation tokens * feat(github): casually cache GitHub App repo permissions Also: Somehow reflect on user caching preferences for the auth proxy cache, providing a hardcoded minimum for proxied entries. GithubIdentity._set_permissions got a new flag 'casual' for writing to the main auth cache without any guarantee this will be retrieved later. This is required so casually cached permissions for GitHub Apps won't get stuck in the proxy cache.
I don't get it, it was all ok the other day. Welp.
Closed
|
@vit-zikmund wow this is amazing. Thanks for all the hard work. @athornton would you be up for giving this the once over and then we can merge if you think it looks good? |
|
Yeah, hopefully I'll have some time tomorrow. |
athornton
approved these changes
Dec 3, 2024
|
@vit-zikmund we'd love to merge this. wdyt of @athornton comments. Big 🙏 to @athornton for the excellent review and 👏👏 to @vit-zikmund for the PR 🙌 |
|
Hi @rufuspollock I want to address them all, after all they are either sensible small improvements or nice endorsements 😊 |
|
Here are the last polishments as you requested. Thanks for the nice review! |
|
@vit-zikmund I don't remember if you have merge permissions, but feel free, and if you don't, let me know and I will. |
|
Nope, can't merge this myself, heh :) |
|
Merged! |
|
wheee! 😄 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello dear @rufuspollock & @athornton, long time no see :) I was missing you so much that I eventually ended up doing this beefy github auth upgrade! It adds support for GitHub App installation tokens, which is something I didn't have any knowledge about (lucky me) until I wanted to use a CICD automation (that uses a GitHub App as the governing identity) to act upon a LFS-enabled repo. Pretty nice rabbit hole I got stuck in for a several days.
Here's the feature on a rather nice silver plate. Let me know if you find any sharp corners on it, but it's proven to work in our premises. Below you'll find the the main commit description, slightly unraveling the core changes. See the updated docs for the details about this funny github token flavor.