Skip to content

Add GitHub App authentication support#154

Open
databus23 wants to merge 5 commits into
concourse:masterfrom
databus23:wip/github-app-auth
Open

Add GitHub App authentication support#154
databus23 wants to merge 5 commits into
concourse:masterfrom
databus23:wip/github-app-auth

Conversation

@databus23

Copy link
Copy Markdown

Motivation

Some organizations forbid the use of personal access tokens, which makes this resource unusable in those environments. This PR adds GitHub App authentication as an alternative to personal access tokens.

Changes

Adds app_id and private_key as source configuration options. When provided, the resource authenticates as a GitHub App installation:

  1. Creates an app-level JWT from the provided credentials
  2. Auto-discovers the installation ID for the configured owner/repository
  3. Obtains an installation access token (auto-refreshed by the transport)

Example configuration

resources:
- name: my-release
  type: github-release
  source:
    owner: my-org
    repository: my-repo
    app_id: ((github-app-id))
    private_key: ((github-app-private-key))

Notes

  • app_id accepts both numeric and string values (credential managers like Vault/CredHub interpolate everything as strings)
  • Fully supports GitHub Enterprise (custom API URLs)
  • Mutually exclusive with access_token - providing both is a validation error
  • All existing behavior is unchanged when using access_token

Fixes #124

@databus23 databus23 requested a review from a team as a code owner July 3, 2026 21:42
@linux-foundation-easycla

linux-foundation-easycla Bot commented Jul 3, 2026

Copy link
Copy Markdown

CLA Signed
The committers listed above are authorized under a signed CLA.

databus23 added 5 commits July 3, 2026 23:51
Add app_id and private_key fields to Source struct. Refactor
GitHubClient to use hasAuth/tokenFunc instead of raw accessToken
string, enabling both PAT and GitHub App auth. Auto-discovers
installation ID via Apps.FindRepositoryInstallation.
Tests cover:
- Conflicting auth configuration (token + app creds)
- Incomplete app credentials (app_id without private_key and vice versa)
- Successful installation discovery and token-authenticated GraphQL
- Installation not found (404)
- Invalid private key
Concourse credential managers interpolate all values as strings.
Use a FlexInt64 type that unmarshals from both JSON numbers and
quoted numeric strings.
- Extract normalizeURL helper to remove 3x duplicated URL
  normalization in appInstallationClient
- Return error instead of silently ignoring url.Parse failure
- Add tests for FlexInt64 unmarshaling from JSON string (the
  actual credential-manager scenario that broke in production)
@databus23 databus23 force-pushed the wip/github-app-auth branch from 2af0dc5 to 571adb7 Compare July 3, 2026 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support Request (Maybe Feature): How do we use ephemeral Github tokens with this?

1 participant