Conversation
…ations#977) This commit addresses issue integrations#977 by introducing an automatic token refresh mechanism for GitHub App-based authentication. When using short-lived GitHub App tokens (JWT + installation token), the provider now refreshes the token transparently before expiry, avoiding auth failures during long-lived Terraform runs or plan/apply cycles. Key enhancements: - Added `NewRefreshingTokenSource()` to wrap token acquisition and refresh. - Refactored `Config.AuthenticatedHTTPClient()` to detect GitHub App env vars (`GITHUB_APP_ID`, `GITHUB_APP_INSTALLATION_ID`, `GITHUB_APP_PEM` or `GITHUB_APP_PEM_FILE`) and enable refreshable OAuth2 token source. - Fallbacks gracefully to using a Personal Access Token (PAT) when `GITHUB_TOKEN` is set. - Environment-based discovery of GitHub App credentials avoids Terraform schema changes. - Added unit tests covering: - Refreshing logic (initial, expired, and error conditions) - Config behavior (anonymous and authenticated client behavior) - Error cases for missing App ID, installation ID, or PEM - No change to existing configuration schema or behavior for current users using PAT-based authentication. This upgrade enables more resilient GitHub App usage and prepares the provider for robust automation scenarios.
…ations#977) This commit addresses issue integrations#977 by introducing an automatic token refresh mechanism for GitHub App-based authentication. When using short-lived GitHub App tokens (JWT + installation token), the provider now refreshes the token transparently before expiry, avoiding auth failures during long-lived Terraform runs or plan/apply cycles. Key enhancements: - Added `NewRefreshingTokenSource()` to wrap token acquisition and refresh. - Refactored `Config.AuthenticatedHTTPClient()` to detect GitHub App env vars (`GITHUB_APP_ID`, `GITHUB_APP_INSTALLATION_ID`, `GITHUB_APP_PEM` or `GITHUB_APP_PEM_FILE`) and enable refreshable OAuth2 token source. - Fallbacks gracefully to using a Personal Access Token (PAT) when `GITHUB_TOKEN` is set. - Environment-based discovery of GitHub App credentials avoids Terraform schema changes. - Added unit tests covering: - Refreshing logic (initial, expired, and error conditions) - Config behavior (anonymous and authenticated client behavior) - Error cases for missing App ID, installation ID, or PEM - No change to existing configuration schema or behavior for current users using PAT-based authentication. This upgrade enables more resilient GitHub App usage and prepares the provider for robust automation scenarios.
|
@nickfloyd Would be great if this PR can be reviewed! |
deiga
left a comment
There was a problem hiding this comment.
Hey @sreejesh123 👋
Thank you for your contribution!
There are a few details I'd need your help with to understand your proposal :)
- You seem to be relying on ENV variables for the App identification, that won't work. You would need to use the parameters given to the provider
- You built a whole custom token refreshingSource, did you try using https://pkg.go.dev/golang.org/x/oauth2#Config.Client which looks like it would already include a lot of the logic you needed to create
- I don't think there should be a need to add a new library for doing the token refresh, but I might be wrong
|
Thanks a lot for the reply, appreciate taking time to review , please see answers inline
Been a while after I did this , I will take a look why I used os.env , not sure if it was for local
I did explore oauth2.Config.Client, but GitHub App installation tokens do not follow standard OAuth2 refresh token mechanics. GitHub Apps require this flow: Since this flow isn’t compatible with oauth2.Config, I implemented a custom TokenSource that performs the GitHub-specific JWT → installation-token exchange. If this is my misunderstanding please let me know. Happy to adjust the structure if there’s a preferred pattern within the provider.
The additional library is used only for securely generating the required JWT for GitHub App authentication. If you prefer not to introduce this dependency, I can alternatively use the built-in Go crypto packages and re-implement the minimal signing logic. |
|
@sreejesh123 Looking at the docs of go-github they have a recommendation to use https://github.com/jferrl/go-githubauth which would handle the refresh https://github.com/google/go-github/blob/master/README.md#as-a-github-app Could you try implementing that instead of homebrewing the logic? |
Resolves #977
Before the change?
After the change?
Pull request checklist
Does this introduce a breaking change?
Please see our docs on breaking changes to help!