[FR] GitHub authentication using a GitHub AppΒ #470
Description
Summary
Looking at the docs it seems that currently only personal access tokens (either fine-grained or classic) are supported as a way to authenticate to GitHub and retrieve private repositories.
Would it be possible to support authenticating via GitHub Apps as well?
Details
The GitHub docs recommend using GitHub Apps over PATs for this type of long-lived integration.
Moreover for GitHub Enterprise Cloud setups, GitHub is charged per user account (which includes service accounts), so many companies will limit the number of service accounts and use GitHub Apps instead for automations.
A GitHub App can be installed on either entire GitHub organizations (including new repos within those orgs) or a selected set of repositories. This would help control the access SourceBot has (compared to a PAT, unless the PAT belongs to a dedicated service account).
The GitHub App has a private key, which can be used to create a temporary access token scoped to either an org or a repository, and then this token can be used to call the GitHub API. This is likely the logic that SourceBot would need to implement. Something like:
- Let the user choose GitHub App as the authentication method and provide its ID and private key
- When SourceBot needs to access the GitHub API, instead of simply taking the PAT from the config, it would take the private key, create the token scoped for the specific org, then use that
Since the token is scoped to either a repository or an organization, this means that it will need to be generated per-org (unlike the PAT that works across all orgs), so this is likely additional logic to be implemented.