feat: Update github exporter with github app authentication

[dehaansa]

Brief description of Pull Request

Update the github exporter packaged in Alloy including support for Github App authentication.

Pull Request Details

Issue(s) fixed by this Pull Request

Notes to the Reviewer

PR Checklist

• Documentation added
• Tests updated

[github-actions]

💻 Deploy preview deleted (feat: Update github exporter with github app authentication).

[github-actions]

🔍 Dependency Review

Below is an assessment of the Go module dependency changes in this PR, focusing only on entries changed in go.mod files. For each changed dependency, I outline potential code changes needed to safely adopt the new version and include supporting evidence.

---

github.com/githubexporter/github-exporter v0.0.0-20231025122338-656e7dc33fe7 → v1.3.1 — ⚠️ Needs Review

Summary

• v1.3.x adds native GitHub App authentication support and an optional rate limit threshold, in addition to existing token-based authentication.
• Existing API token authentication remains supported.
• You must ensure only one authentication mechanism is configured at a time (mutually exclusive).

Based on changes made in this PR, no breaking changes were encountered for existing token-based use, but you should review the new authentication behavior and configuration surface if you adopt GitHub App authentication.

What changed and what to check in your code

• New config fields/methods for GitHub App auth:
  • Fields observed in use:
    • GitHubAppKeyPath, GitHubAppID, GitHubAppInstallationID, GitHubRateLimit
  • Methods observed in use:
    • SetGitHubApp(true), SetGitHubAppKeyPath(string), SetGitHubAppId(int64), SetGitHubAppInstallationId(int64), SetGitHubRateLimit(float64), SetAPITokenFromGitHubApp()
• Mutual exclusivity:
  • Do not set both API token auth (APIToken/APITokenFile) and GitHub App auth (AppID/InstallationID/KeyPath) together. Enforce this at integration boundaries.

Code changes to adopt new features (optional)

If you want to preserve existing behavior (token-based auth), no code changes are required.

If you want to use GitHub App authentication, adapt your integration like below:

 func New(logger log.Logger, c *Config) (integrations.Integration, error) {
-    conf.SetRepositories(c.Repositories)
-    conf.SetOrganisations(c.Organizations)
-    conf.SetUsers(c.Users)
-    if c.APIToken != "" {
-        conf.SetAPIToken(string(c.APIToken))
-    }
-    if c.APITokenFile != "" {
-        err = conf.SetAPITokenFromFile(c.APITokenFile)
-        if err != nil { ... }
-    }
+    conf.SetRepositories(c.Repositories)
+    conf.SetOrganisations(c.Organizations)
+    conf.SetUsers(c.Users)
+
+    hasTokenAuth := c.APIToken != "" || c.APITokenFile != ""
+    hasGitHubAppAuth := c.GitHubAppID != 0 && c.GitHubAppInstallationID != 0 && c.GitHubAppKeyPath != ""
+    if hasTokenAuth && hasGitHubAppAuth {
+        return nil, fmt.Errorf("cannot use both token authentication and GitHub App authentication")
+    }
+
+    if hasGitHubAppAuth {
+        conf.SetGitHubApp(true)
+        conf.SetGitHubAppKeyPath(c.GitHubAppKeyPath)
+        conf.SetGitHubAppId(c.GitHubAppID)
+        conf.SetGitHubAppInstallationId(c.GitHubAppInstallationID)
+        conf.SetGitHubRateLimit(c.GitHubRateLimit)
+        if err := conf.SetAPITokenFromGitHubApp(); err != nil { ... }
+    } else if c.APIToken != "" {
+        conf.SetAPIToken(string(c.APIToken))
+    } else if c.APITokenFile != "" {
+        if err := conf.SetAPITokenFromFile(c.APITokenFile); err != nil { ... }
+    }
 }

If you expose configuration for the exporter, add optional fields to your config types and conversions:

 type Arguments struct {
     APIURL         string            `alloy:"api_url,attr,optional"`
     Repositories   []string          `alloy:"repositories,attr,optional"`
     Organizations  []string          `alloy:"organizations,attr,optional"`
     Users          []string          `alloy:"users,attr,optional"`
     APIToken       alloytypes.Secret `alloy:"api_token,attr,optional"`
     APITokenFile   string            `alloy:"api_token_file,attr,optional"`
+    GitHubAppKeyPath        string  `alloy:"github_app_key_path,attr,optional"`
+    GitHubAppID             int64   `alloy:"github_app_id,attr,optional"`
+    GitHubAppInstallationID int64   `alloy:"github_app_installation_id,attr,optional"`
+    GitHubRateLimit         float64 `alloy:"github_rate_limit,attr,optional"`
 }
 
 func (a *Arguments) Convert() *github_exporter.Config {
     return &github_exporter.Config{
         APIURL:        a.APIURL,
         Repositories:  a.Repositories,
         Organizations: a.Organizations,
         Users:         a.Users,
         APIToken:      config_util.Secret(a.APIToken),
         APITokenFile:  a.APITokenFile,
+        GitHubAppKeyPath:        a.GitHubAppKeyPath,
+        GitHubAppID:             a.GitHubAppID,
+        GitHubAppInstallationID: a.GitHubAppInstallationID,
+        GitHubRateLimit:         a.GitHubRateLimit,
     }
 }

Evidence

• New auth methods and fields are used directly in this PR (confirming API presence in v1.3.1):
  • Methods used: SetGitHubApp, SetGitHubAppKeyPath, SetGitHubAppId, SetGitHubAppInstallationId, SetGitHubRateLimit, SetAPITokenFromGitHubApp
  • Fields used: GitHubAppKeyPath, GitHubAppID, GitHubAppInstallationID, GitHubRateLimit
• Token-based fields and behavior remain in use: APIToken, APITokenFile, SetAPIToken, SetAPITokenFromFile

---

github.com/google/go-github/v62 (new indirect) — ✅ Safe

Summary

• Added as an indirect dependency. No direct imports of this module are changed in this repo per the provided diff.
• It is pulled in by the updated github-exporter for GitHub App support.

Code changes required

• None in this repository unless you import and use go-github directly elsewhere. If you do, ensure your code matches v62 APIs.

Evidence

• go.mod only adds it as indirect.
• Usage is encapsulated inside github.com/githubexporter/github-exporter v1.3.1 for GitHub App flows.

---

github.com/bradleyfalzon/ghinstallation/v2 v2.11.0 (new indirect) — ✅ Safe

Summary

• Added as an indirect dependency. This library provides GitHub App installation authentication and is used by the updated github-exporter.
• No direct usage in this repository in the provided diff.

Code changes required

• None in this repository unless you start using ghinstallation/v2 directly.

Evidence

• go.mod only adds it as indirect.
• Usage is encapsulated inside github.com/githubexporter/github-exporter v1.3.1 for GitHub App token generation.

Notes

• Net-new indirect dependencies (github.com/google/go-github/v62, github.com/bradleyfalzon/ghinstallation/v2) were not assessed beyond their impact through github.com/githubexporter/github-exporter, as they are not directly consumed by this repo in the provided diff.
• The PR already includes appropriate code and docs changes to support GitHub App authentication and mutual exclusivity with token auth.

[kgeckhart]

Non-blocking suggestion

[kgeckhart]

Should we check for misconfiguration GithubApp auth like if they missed setting one of these? Maybe logging the auth strategy identified could help instead? Thinking about how we could make a user error less frustrating to identify.