Normalize App ID to String & Enhance JWT Issuer Verification #3272
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Wrap self._app_id with str() in the JWT payload's "iss" field to ensure it is always a string, addressing a potential type mismatch. This fixes compatibility issues where downstream JWT processing expects a string issuer, as GitHub App IDs are typically integers.
Update the AppAuth initializer to set self._app_id = str(app_id) instead of app_id directly. This normalizes the GitHub App ID (which can be int or str per the Union[int, str] type hint) to a string at initialization, ensuring the JWT "iss" claim is always a string as expected by JWT standards and downstream processing.
Modify testCreateJWT and testCreateJWTWithExpiration to expect a string "iss" claim (str(APP_ID)) in the payload, matching the AppAuth initializer change. Add issuer=str(APP_ID) to jwt.decode() calls to leverage PyJWT's built-in issuer validation, improving test robustness by failing early on issuer mismatches.
Contributor
Author
|
Can someone take a look at this? |
matt-davis27
pushed a commit
to matt-davis27/PyGithub
that referenced
this pull request
Aug 22, 2025
…b#3272) This PR fixes PyGithub#3214 by ensuring self._app_id is always a string in AppAuth, preventing type mismatches in the JWT "iss" claim. It also strengthens JWT tests by adding issuer validation during decoding. The AppAuth class previously stored self._app_id as-is (either int or str, per Union[int, str]), which could result in the JWT "iss" claim being an integer. Per the JWT specification ([RFC 7519, Section 4.1.1](https://tools.ietf.org/html/rfc7519#section-4.1.1)), the iss (issuer) claim should be a string, and GitHub’s authentication flow expects it as such. This type mismatch caused potential failures in downstream processing or validation (e.g., with PyJWT or GitHub’s API), as reported in PyGithub#3214. Additionally, the tests lacked proactive issuer checks, relying only on payload comparison, which missed an opportunity to catch errors earlier. **Changes** - String Normalization in AppAuth (github/Auth.py): `Changed self._app_id = app_id to self._app_id = str(app_id)` in the initializer. This ensures the "iss" claim is consistently a string, regardless of whether the input app_id is an integer (common for GitHub App IDs) or a string. - Test Improvements (tests/Authentication.py): Updated testCreateJWT and testCreateJWTWithExpiration to expect a string "iss" and added `issuer=str(APP_ID)` to jwt.decode(). This leverages PyJWT’s built-in issuer validation (introduced in PyJWT 1.0.0+), aligning with its security features and failing fast on issuer mismatches. **Fixes** ✅ Fixes type mismatch in JWT "iss" claim. ✅ Enhances test robustness by failing early on incorrect issuers. **Impact** Fixes the root cause of type-related errors in JWT generation, ensuring compliance with RFC 7519 and GitHub’s expectations. Strengthens tests by mirroring real-world validation (e.g., GitHub rejecting tokens with invalid iss), reducing the risk of regressions. **Testing** Verified with pytest tests/Authentication.py—both testCreateJWT and testCreateJWTWithExpiration pass with the updated expectations and issuer verification. Fixes: [PyGithub#3214](PyGithub#3214) --------- Co-authored-by: Enrico Minack <github@enrico.minack.dev>
renovate bot
added a commit
to codegen-sh/graph-sitter
that referenced
this pull request
Sep 28, 2025
Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more [here](https://redirect.github.com/renovatebot/renovate/discussions/37842). This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [PyGithub](https://redirect.github.com/pygithub/pygithub) | `==2.6.1` -> `==2.8.1` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>pygithub/pygithub (PyGithub)</summary> ### [`v2.8.1`](https://redirect.github.com/PyGithub/PyGithub/releases/tag/v2.8.1) [Compare Source](https://redirect.github.com/pygithub/pygithub/compare/v2.8.0...v2.8.1) #### What's Changed ##### Bug Fixes - Use default type if known type is not supported by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3365](https://redirect.github.com/PyGithub/PyGithub/pull/3365) **Full Changelog**: <PyGithub/PyGithub@v2.8.0...v2.8.1> ### [`v2.8.0`](https://redirect.github.com/PyGithub/PyGithub/releases/tag/v2.8.0) [Compare Source](https://redirect.github.com/pygithub/pygithub/compare/v2.7.0...v2.8.0) #### What's Changed ##### New Features - Add self hosted runner management to Organization by [@​billnapier](https://redirect.github.com/billnapier) in [PyGithub/PyGithub#3203](https://redirect.github.com/PyGithub/PyGithub/pull/3203) - Add support to generate release notes by [@​mball-agathos](https://redirect.github.com/mball-agathos) in [PyGithub/PyGithub#3022](https://redirect.github.com/PyGithub/PyGithub/pull/3022) ##### Improvements - Fix connection pooling to improve connection performance by [@​chriskuehl](https://redirect.github.com/chriskuehl) in [PyGithub/PyGithub#3289](https://redirect.github.com/PyGithub/PyGithub/pull/3289) - Add `Repository.get_automated_security_fixes` method by [@​zstyblik](https://redirect.github.com/zstyblik) in [PyGithub/PyGithub#3303](https://redirect.github.com/PyGithub/PyGithub/pull/3303) - Sync `Issue` class with API spec by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3338](https://redirect.github.com/PyGithub/PyGithub/pull/3338) - Return more union classes like `NamedUser | Organization | Enterprise` by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3224](https://redirect.github.com/PyGithub/PyGithub/pull/3224) - Sync `Enterprise` class with API spec by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3342](https://redirect.github.com/PyGithub/PyGithub/pull/3342) - Sync `GitReleaseAsset` class with API spec by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3343](https://redirect.github.com/PyGithub/PyGithub/pull/3343) - Sync many class with OpenAPI spec by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3344](https://redirect.github.com/PyGithub/PyGithub/pull/3344) - Point deprecation warnings to the caller code rather than inner class by [@​xmo-odoo](https://redirect.github.com/xmo-odoo) in [PyGithub/PyGithub#3275](https://redirect.github.com/PyGithub/PyGithub/pull/3275) - Allow for repo strings in all `Team` repo methods by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3356](https://redirect.github.com/PyGithub/PyGithub/pull/3356) ##### Bug Fixes - Fix API path of `Repository.get_git_ref` by [@​csalerno-asml](https://redirect.github.com/csalerno-asml) in [PyGithub/PyGithub#2992](https://redirect.github.com/PyGithub/PyGithub/pull/2992) - Rework redirection URL allowance check by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3329](https://redirect.github.com/PyGithub/PyGithub/pull/3329) - Fix `GitRelease.name`, deprecate `GitRelease.title` by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3346](https://redirect.github.com/PyGithub/PyGithub/pull/3346) - Remove `"COMMENT"` as the default event for `create_review` by [@​eddie-santos](https://redirect.github.com/eddie-santos) in [PyGithub/PyGithub#3078](https://redirect.github.com/PyGithub/PyGithub/pull/3078) - Add support for public release assets by [@​aolieman](https://redirect.github.com/aolieman) in [PyGithub/PyGithub#3339](https://redirect.github.com/PyGithub/PyGithub/pull/3339) - Fix GitHub breaking API change of `maintainers` in `Organization.create_team` by [@​interifter](https://redirect.github.com/interifter) in [PyGithub/PyGithub#3291](https://redirect.github.com/PyGithub/PyGithub/pull/3291) ##### Maintenance - Minor fix to release.yml by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3201](https://redirect.github.com/PyGithub/PyGithub/pull/3201) - Reduce test replay data by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3243](https://redirect.github.com/PyGithub/PyGithub/pull/3243) - Add check to OpenAPI script to check doc-string verbs by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3332](https://redirect.github.com/PyGithub/PyGithub/pull/3332) - Improve apply OpenAPI schemas by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3333](https://redirect.github.com/PyGithub/PyGithub/pull/3333) - Add config to OpenAPI script to ignore schemas by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3334](https://redirect.github.com/PyGithub/PyGithub/pull/3334) - Add suggest and create method feature to OpenAPI script by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3318](https://redirect.github.com/PyGithub/PyGithub/pull/3318) - Fix CI OpenApi apply command by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3341](https://redirect.github.com/PyGithub/PyGithub/pull/3341) - Improve OpenAPI scripts by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3340](https://redirect.github.com/PyGithub/PyGithub/pull/3340) - Improve OpenAPI CI by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3347](https://redirect.github.com/PyGithub/PyGithub/pull/3347) - Rework test framework by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3271](https://redirect.github.com/PyGithub/PyGithub/pull/3271) - Some minor fixes to OpenAPI scripts by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3350](https://redirect.github.com/PyGithub/PyGithub/pull/3350) - Add manual workflow to fix auto-fixable issues by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3351](https://redirect.github.com/PyGithub/PyGithub/pull/3351) - Bump actions/download-artifact from 4 to 5 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [PyGithub/PyGithub#3330](https://redirect.github.com/PyGithub/PyGithub/pull/3330) - Use default per-page const in `PaginatedList` by [@​sam93210](https://redirect.github.com/sam93210) in [PyGithub/PyGithub#3039](https://redirect.github.com/PyGithub/PyGithub/pull/3039) - Bump actions/setup-python from 4 to 5 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [PyGithub/PyGithub#3283](https://redirect.github.com/PyGithub/PyGithub/pull/3283) - Bump actions/checkout from 3 to 5 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [PyGithub/PyGithub#3348](https://redirect.github.com/PyGithub/PyGithub/pull/3348) - Various minor OpenAPI scripts fixes by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3353](https://redirect.github.com/PyGithub/PyGithub/pull/3353) - Add union class support to OpenAPI script by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3354](https://redirect.github.com/PyGithub/PyGithub/pull/3354) - Add `github_actions` label to Maintenance section by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3357](https://redirect.github.com/PyGithub/PyGithub/pull/3357) - Upgrade docformatter pre-commit hook by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3359](https://redirect.github.com/PyGithub/PyGithub/pull/3359) - Add warning about Checks API in doc-strings by [@​atodorov](https://redirect.github.com/atodorov) in [PyGithub/PyGithub#3229](https://redirect.github.com/PyGithub/PyGithub/pull/3229) - Update docs on development by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3352](https://redirect.github.com/PyGithub/PyGithub/pull/3352) #### New Contributors - [@​chriskuehl](https://redirect.github.com/chriskuehl) made their first contribution in [PyGithub/PyGithub#3289](https://redirect.github.com/PyGithub/PyGithub/pull/3289) - [@​zstyblik](https://redirect.github.com/zstyblik) made their first contribution in [PyGithub/PyGithub#3303](https://redirect.github.com/PyGithub/PyGithub/pull/3303) - [@​csalerno-asml](https://redirect.github.com/csalerno-asml) made their first contribution in [PyGithub/PyGithub#2992](https://redirect.github.com/PyGithub/PyGithub/pull/2992) - [@​eddie-santos](https://redirect.github.com/eddie-santos) made their first contribution in [PyGithub/PyGithub#3078](https://redirect.github.com/PyGithub/PyGithub/pull/3078) - [@​aolieman](https://redirect.github.com/aolieman) made their first contribution in [PyGithub/PyGithub#3339](https://redirect.github.com/PyGithub/PyGithub/pull/3339) - [@​sam93210](https://redirect.github.com/sam93210) made their first contribution in [PyGithub/PyGithub#3039](https://redirect.github.com/PyGithub/PyGithub/pull/3039) - [@​mball-agathos](https://redirect.github.com/mball-agathos) made their first contribution in [PyGithub/PyGithub#3022](https://redirect.github.com/PyGithub/PyGithub/pull/3022) - [@​atodorov](https://redirect.github.com/atodorov) made their first contribution in [PyGithub/PyGithub#3229](https://redirect.github.com/PyGithub/PyGithub/pull/3229) - [@​interifter](https://redirect.github.com/interifter) made their first contribution in [PyGithub/PyGithub#3291](https://redirect.github.com/PyGithub/PyGithub/pull/3291) **Full Changelog**: <PyGithub/PyGithub@v2.7.0...v2.8.0> ### [`v2.7.0`](https://redirect.github.com/PyGithub/PyGithub/releases/tag/v2.7.0) [Compare Source](https://redirect.github.com/pygithub/pygithub/compare/v2.6.1...v2.7.0) #### What's Changed ##### Breaking Changes - Method `Github.get_rate_limit()` now returns `RateLimitOverview` rather than `RateLimit` ([PyGithub/PyGithub#3205](https://redirect.github.com/PyGithub/PyGithub/pull/3205)). Code like ```python gh.get_rate_limit().core.remaining ``` should be replaced with ```python gh.get_rate_limit().resources.core.remaining ``` - Method `GitTag.verification` now returns `GitCommitVerification` rather than `dict[str, Any]` ([PyGithub/PyGithub#3226](https://redirect.github.com/PyGithub/PyGithub/pull/3226)). Code like ```python tag.verification["reason"] tag.verification.get("reason") ``` should be replaced with ```python tag.verification.reason ``` ##### New Features - Add getting list of self-hosted runners of organization by [@​climbfuji](https://redirect.github.com/climbfuji) in [PyGithub/PyGithub#3190](https://redirect.github.com/PyGithub/PyGithub/pull/3190) - Apply OpenAPI spec by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3317](https://redirect.github.com/PyGithub/PyGithub/pull/3317) - Add support for Sub-Issues by [@​e7217](https://redirect.github.com/e7217) in [PyGithub/PyGithub#3258](https://redirect.github.com/PyGithub/PyGithub/pull/3258) ##### Improvements - Refactor search results into separate classes by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3204](https://redirect.github.com/PyGithub/PyGithub/pull/3204) - Add `OrganizationInvitation` by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3207](https://redirect.github.com/PyGithub/PyGithub/pull/3207) - Add and apply missing schemas by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3209](https://redirect.github.com/PyGithub/PyGithub/pull/3209) - Sync `RepositoryAdvisory` tests with OpenAPI spec by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3215](https://redirect.github.com/PyGithub/PyGithub/pull/3215) - Sync `ProjectColumn` and `ProjectCard` tests with OpenAPI spec by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3216](https://redirect.github.com/PyGithub/PyGithub/pull/3216) - Sync `CopilotSeat` class with API spec by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3232](https://redirect.github.com/PyGithub/PyGithub/pull/3232) - Sync `HookDeliverySummary` class with API spec by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3233](https://redirect.github.com/PyGithub/PyGithub/pull/3233) - Sync `RequiredPullRequestReviews` class with API spec by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3234](https://redirect.github.com/PyGithub/PyGithub/pull/3234) - Sync `RequiredStatusChecks` class with API spec by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3236](https://redirect.github.com/PyGithub/PyGithub/pull/3236) - Sync `Team` class with API spec by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3237](https://redirect.github.com/PyGithub/PyGithub/pull/3237) - Replace `deprecated.deprecated()` with `typing_extensions.deprecated()` by [@​lazka](https://redirect.github.com/lazka) in [PyGithub/PyGithub#3255](https://redirect.github.com/PyGithub/PyGithub/pull/3255) - fix(CodeScanAlert): add missing attributes by [@​ReenigneArcher](https://redirect.github.com/ReenigneArcher) in [PyGithub/PyGithub#3274](https://redirect.github.com/PyGithub/PyGithub/pull/3274) - Allow SHAs when creating PR comments by [@​tuchfarber](https://redirect.github.com/tuchfarber) in [PyGithub/PyGithub#3248](https://redirect.github.com/PyGithub/PyGithub/pull/3248) - Get collaborator role name by [@​jmgate](https://redirect.github.com/jmgate) in [PyGithub/PyGithub#3295](https://redirect.github.com/PyGithub/PyGithub/pull/3295) - Adding `prevent_self_review` property to `Repository.createEnvironment` by [@​gopidesupavan](https://redirect.github.com/gopidesupavan) in [PyGithub/PyGithub#3246](https://redirect.github.com/PyGithub/PyGithub/pull/3246) - Add `PullRequest.get_issue_timeline` method by [@​kukarkinmm](https://redirect.github.com/kukarkinmm) in [PyGithub/PyGithub#3259](https://redirect.github.com/PyGithub/PyGithub/pull/3259) - Support built-in `reversed()` on `PaginatedList` by [@​mfocko](https://redirect.github.com/mfocko) in [PyGithub/PyGithub#3260](https://redirect.github.com/PyGithub/PyGithub/pull/3260) - Relax 404 condition in `Requester` exception handling by [@​jsmolar](https://redirect.github.com/jsmolar) in [PyGithub/PyGithub#3299](https://redirect.github.com/PyGithub/PyGithub/pull/3299) - Add `delete_self_hosted_runner` to `Organization` by [@​uncleDecart](https://redirect.github.com/uncleDecart) in [PyGithub/PyGithub#3306](https://redirect.github.com/PyGithub/PyGithub/pull/3306) ##### Bug Fixes - Fix broken pickle support for `Auth` classes by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3211](https://redirect.github.com/PyGithub/PyGithub/pull/3211) - Remove schema from `Deployment`, remove `message` attribute by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3223](https://redirect.github.com/PyGithub/PyGithub/pull/3223) - Fix incorrect deprecated import by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3225](https://redirect.github.com/PyGithub/PyGithub/pull/3225) - Add `CodeSecurityConfigRepository` returned by `get_repos_for_code_security_config` by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3219](https://redirect.github.com/PyGithub/PyGithub/pull/3219) - Fix `Branch.get_required_status_checks` return type by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3235](https://redirect.github.com/PyGithub/PyGithub/pull/3235) - Adds `multi_select` and `true_false` options to `CustomProperty.value_type` by [@​gfog-floqast](https://redirect.github.com/gfog-floqast) in [PyGithub/PyGithub#3173](https://redirect.github.com/PyGithub/PyGithub/pull/3173) - Fix url encoding of strings with slashes in URLs by [@​OscarVanL](https://redirect.github.com/OscarVanL) in [PyGithub/PyGithub#3263](https://redirect.github.com/PyGithub/PyGithub/pull/3263) - Fix side-effect when removing Authorization key from headers by [@​alecglen](https://redirect.github.com/alecglen) in [PyGithub/PyGithub#3313](https://redirect.github.com/PyGithub/PyGithub/pull/3313) - Make `TimingData.run_duration_ms` optional by [@​LifeLex](https://redirect.github.com/LifeLex) in [PyGithub/PyGithub#3268](https://redirect.github.com/PyGithub/PyGithub/pull/3268) - Normalize App ID to String & Enhance JWT Issuer Verification by [@​x612skm](https://redirect.github.com/x612skm) in [PyGithub/PyGithub#3272](https://redirect.github.com/PyGithub/PyGithub/pull/3272) ##### Dependencies - Bump actions/checkout from 3 to 4 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [PyGithub/PyGithub#2754](https://redirect.github.com/PyGithub/PyGithub/pull/2754) ##### Maintenance - Mention removal of `AppAuth.private_key` in changelog by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3212](https://redirect.github.com/PyGithub/PyGithub/pull/3212) - Remove wrong schema from Repository by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3220](https://redirect.github.com/PyGithub/PyGithub/pull/3220) - Rename `HookDeliveryRequest` and `…Response` private headers fields by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3221](https://redirect.github.com/PyGithub/PyGithub/pull/3221) - Sort classes' functions by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3231](https://redirect.github.com/PyGithub/PyGithub/pull/3231) - Move all Python files to future annotations by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3241](https://redirect.github.com/PyGithub/PyGithub/pull/3241) - Fix return type of `PaginatedList[int]` by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3240](https://redirect.github.com/PyGithub/PyGithub/pull/3240) - Sync with OpenAPI spec by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3244](https://redirect.github.com/PyGithub/PyGithub/pull/3244) - Make token auth default in tests by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3242](https://redirect.github.com/PyGithub/PyGithub/pull/3242) - Add `Organization.get_repos_for_code_security_config` test by [@​billnapier](https://redirect.github.com/billnapier) in [PyGithub/PyGithub#3239](https://redirect.github.com/PyGithub/PyGithub/pull/3239) - Add Python 3.13 to CI by [@​lazka](https://redirect.github.com/lazka) in [PyGithub/PyGithub#3253](https://redirect.github.com/PyGithub/PyGithub/pull/3253) - Enhance PyGithub webhook documentation by [@​ssganesh035](https://redirect.github.com/ssganesh035) in [PyGithub/PyGithub#3267](https://redirect.github.com/PyGithub/PyGithub/pull/3267) - Create codeql.yml by [@​JLLeitschuh](https://redirect.github.com/JLLeitschuh) in [PyGithub/PyGithub#3277](https://redirect.github.com/PyGithub/PyGithub/pull/3277) - Add schema to `TimingData` by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3206](https://redirect.github.com/PyGithub/PyGithub/pull/3206) - Remove error schemas from classes by [@​EnricoMi](https://redirect.github.com/EnricoMi) in [PyGithub/PyGithub#3202](https://redirect.github.com/PyGithub/PyGithub/pull/3202) #### New Contributors - [@​ssganesh035](https://redirect.github.com/ssganesh035) made their first contribution in [PyGithub/PyGithub#3267](https://redirect.github.com/PyGithub/PyGithub/pull/3267) - [@​ReenigneArcher](https://redirect.github.com/ReenigneArcher) made their first contribution in [PyGithub/PyGithub#3274](https://redirect.github.com/PyGithub/PyGithub/pull/3274) - [@​climbfuji](https://redirect.github.com/climbfuji) made their first contribution in [PyGithub/PyGithub#3190](https://redirect.github.com/PyGithub/PyGithub/pull/3190) - [@​tuchfarber](https://redirect.github.com/tuchfarber) made their first contribution in [PyGithub/PyGithub#3248](https://redirect.github.com/PyGithub/PyGithub/pull/3248) - [@​jmgate](https://redirect.github.com/jmgate) made their first contribution in [PyGithub/PyGithub#3295](https://redirect.github.com/PyGithub/PyGithub/pull/3295) - [@​gopidesupavan](https://redirect.github.com/gopidesupavan) made their first contribution in [PyGithub/PyGithub#3246](https://redirect.github.com/PyGithub/PyGithub/pull/3246) - [@​kukarkinmm](https://redirect.github.com/kukarkinmm) made their first contribution in [PyGithub/PyGithub#3259](https://redirect.github.com/PyGithub/PyGithub/pull/3259) - [@​mfocko](https://redirect.github.com/mfocko) made their first contribution in [PyGithub/PyGithub#3260](https://redirect.github.com/PyGithub/PyGithub/pull/3260) - [@​gfog-floqast](https://redirect.github.com/gfog-floqast) made their first contribution in [PyGithub/PyGithub#3173](https://redirect.github.com/PyGithub/PyGithub/pull/3173) - [@​jsmolar](https://redirect.github.com/jsmolar) made their first contribution in [PyGithub/PyGithub#3299](https://redirect.github.com/PyGithub/PyGithub/pull/3299) - [@​OscarVanL](https://redirect.github.com/OscarVanL) made their first contribution in [PyGithub/PyGithub#3263](https://redirect.github.com/PyGithub/PyGithub/pull/3263) - [@​alecglen](https://redirect.github.com/alecglen) made their first contribution in [PyGithub/PyGithub#3313](https://redirect.github.com/PyGithub/PyGithub/pull/3313) - [@​LifeLex](https://redirect.github.com/LifeLex) made their first contribution in [PyGithub/PyGithub#3268](https://redirect.github.com/PyGithub/PyGithub/pull/3268) - [@​e7217](https://redirect.github.com/e7217) made their first contribution in [PyGithub/PyGithub#3258](https://redirect.github.com/PyGithub/PyGithub/pull/3258) - [@​x612skm](https://redirect.github.com/x612skm) made their first contribution in [PyGithub/PyGithub#3272](https://redirect.github.com/PyGithub/PyGithub/pull/3272) - [@​uncleDecart](https://redirect.github.com/uncleDecart) made their first contribution in [PyGithub/PyGithub#3306](https://redirect.github.com/PyGithub/PyGithub/pull/3306) **Full Changelog**: <PyGithub/PyGithub@v2.6.0...v2.7.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/codegen-sh/graph-sitter). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzAuMSIsInVwZGF0ZWRJblZlciI6IjQxLjEzMC4xIiwidGFyZ2V0QnJhbmNoIjoiZGV2ZWxvcCIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes #3214 by ensuring self._app_id is always a string in AppAuth, preventing type mismatches in the JWT "iss" claim. It also strengthens JWT tests by adding issuer validation during decoding.
The AppAuth class previously stored self._app_id as-is (either int or str, per Union[int, str]), which could result in the JWT "iss" claim being an integer. Per the JWT specification (RFC 7519, Section 4.1.1), the iss (issuer) claim should be a string, and GitHub’s authentication flow expects it as such. This type mismatch caused potential failures in downstream processing or validation (e.g., with PyJWT or GitHub’s API), as reported in #3214. Additionally, the tests lacked proactive issuer checks, relying only on payload comparison, which missed an opportunity to catch errors earlier.
Changes
Changed self._app_id = app_id to self._app_id = str(app_id)in the initializer. This ensures the "iss" claim is consistently a string, regardless of whether the input app_id is an integer (common for GitHub App IDs) or a string.issuer=str(APP_ID)to jwt.decode(). This leverages PyJWT’s built-in issuer validation (introduced in PyJWT 1.0.0+), aligning with its security features and failing fast on issuer mismatches.Fixes
✅ Fixes type mismatch in JWT "iss" claim.
✅ Enhances test robustness by failing early on incorrect issuers.
Impact
Fixes the root cause of type-related errors in JWT generation, ensuring compliance with RFC 7519 and GitHub’s expectations.
Strengthens tests by mirroring real-world validation (e.g., GitHub rejecting tokens with invalid iss), reducing the risk of regressions.
Testing
Verified with pytest tests/Authentication.py—both testCreateJWT and testCreateJWTWithExpiration pass with the updated expectations and issuer verification.
Fixes: PyGithub/PyGithub#3214