Add a credential plugin that uses GitHub Apps to get tokens #87
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
djyasin
approved these changes
Feb 19, 2025
fosterseth
approved these changes
Feb 19, 2025
webknjaz
changed the title
webknjaz
force-pushed
the
aap-38589-github-app-cred
branch
2 times, most recently
from
95e3489 to
cf39bb6
Compare
webknjaz
commented
Feb 19, 2025
webknjaz
commented
Feb 19, 2025
webknjaz
commented
Feb 19, 2025
webknjaz
force-pushed
the
aap-38589-github-app-cred
branch
2 times, most recently
from
fc8da9a to
e3f207e
Compare
webknjaz
commented
Feb 19, 2025
This patch uses PyGitHub to implement it. It currently only supports GitHub App IDs due to limitations in PyGitHub [[1]]. It also takes care of passing it as a string into the library because PyGitHub does not perform type conversion, which sometimes leads to producing invalid JWTs [[2]] as the underlying library PyJWT lacks validation [[3]]. The plugin accepts both GitHub App and installation IDs as integers and normalizes them into strings. The tests use ephemerally-produced in-memory RSA keys for JWT verification. As an optimization, they are 1024-bit sized because it is cheaper and makes the tests more performant compared to bigger values. As a temporary measure, the patch includes a suppression of WPS202 in flake8 for `github_app.py`. A few type-ignores were added around PyGitHub exception handling due to them using `Any` [[4]]. The patch also includes a change to the flake8-eradicate config letting distinguish comments with URL lists. [1]: PyGithub/PyGithub#3213 [2]: PyGithub/PyGithub#3214 [3]: jpadilla/pyjwt#1039 [4]: PyGithub/PyGithub#3218 Co-authored-by: Sviatoslav Sydorenko <webknjaz@redhat.com>
This change temporarily removes mentions of client ID and marks it as not allowed. PyGitHub seems to not fully support it [[1]]. [1]: PyGithub/PyGithub#3213
webknjaz
force-pushed
the
aap-38589-github-app-cred
branch
from
681e75d to
fdf7f09
Compare
arrestle
approved these changes
Feb 19, 2025
fosterseth
approved these changes
Feb 19, 2025
webknjaz
pushed a commit
that referenced
this pull request
Feb 19, 2025
…lockfiles-updating-PyGitHub This patch adds PyGitHub introduced in #87 to lock files.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch uses PyGitHub to implement it. It currently only supports
GitHub App IDs due to limitations in PyGitHub [1]. It also
takes care of passing it as a string into the library because PyGitHub
does not perform type conversion, which sometimes leads to producing
invalid JWTs [2] as the underlying library PyJWT lacks validation
[3].
This change temporarily excludes mentions of client ID and marks it as
not allowed.
The plugin accepts both GitHub App and installation IDs as integers
and normalizes them into strings.
The tests use ephemerally-produced in-memory RSA keys for JWT
verification. As an optimization, they are 1024-bit sized because it
is cheaper and makes the tests more performant compared to bigger
values.
As a temporary measure, the patch includes a suppression of WPS202
in flake8 for
github_app.py.A few type-ignores were added around PyGitHub exception handling due
to them using
Any[4].The patch also includes a change to the flake8-eradicate config
letting distinguish comments with URL lists.
Supersedes #84.
Co-authored-by: Sviatoslav Sydorenko webknjaz@redhat.com