Add support for authentication as a GitHub App

This commit adds support for authentication as a GitHub App.
This is beneficial in several ways, including:
* Increased rate limits
* Better separation of access
* Finer grained control over access
* Removes the need for a bot or service account

As part of these changes, have added the `github.com/bradleyfalzon/ghinstallation/v2`
module and it's associated dependencies.

Added several new configuration fields:
* `UseGitHubApp` - Boolean flag signalling if user wants to auth as a GitHub App
* `PrivateKeyFile` - Filename for RSA Private Key generated for GitHub App
* `AppID` - GitHub App application numerical identifier
* `InstallationID` - GitHub App installation numerical identifier

Upgrade to golang `1.16`

Add some tests for the `Source` model.

Add support for both `private_key` and `private_key_file` intputs.

This enables either reading the private key from a file, or providing the contents
of the private key.
Expanded testing to cover additional scenarios.

Also rename `AppID` to `ApplicationID`.

add manifest yaml

bump

remove unused travis

use real image tags in dockefile, update go.mod

update go sum

comment xoauth basic

comment xoauth basic

comment xoauth basic

comment xoauth basic

add git credentail helper

fix dockerfile

add credential helper

sds

sds

Author: fatmcgav-depop

Dockerfile

@@ -1,33 +1,26 @@
-ARG golang
-ARG alpine
-
-
-
-FROM ${golang} AS builder
-
+FROM public.ecr.aws/docker/library/golang:1.22 as builder
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get -y -qq update \
     && apt-get -y -qq install "make"
 
 ADD . /go/src/github.com/telia-oss/github-pr-resource
 WORKDIR /go/src/github.com/telia-oss/github-pr-resource
 
-RUN go version \
-    && make all
+RUN go version &&  make all
 
-
-
-FROM ${alpine} AS resource
+FROM public.ecr.aws/docker/library/alpine:3.21.3 AS resource
 RUN apk add --update --no-cache \
     git \
     git-lfs \
+    curl \
     openssh \
     git-crypt
 COPY scripts/askpass.sh /usr/local/bin/askpass.sh
+ENV GITHUB_APP_CRED_HELPER_VERSION="v0.3.2"
+ENV BIN_PATH_TARGET=/usr/local/bin
+RUN curl -L https://github.com/bdellegrazie/git-credential-github-app/releases/download/${GITHUB_APP_CRED_HELPER_VERSION}/git-credential-github-app_${GITHUB_APP_CRED_HELPER_VERSION}_Linux_x86_64.tar.gz | tar zxv -C ${BIN_PATH_TARGET}
 COPY --from=builder /go/src/github.com/telia-oss/github-pr-resource/build /opt/resource
 RUN chmod +x /opt/resource/*
 
-
-
 FROM resource
 LABEL MAINTAINER=cloudfoundry-community

README.md

@@ -312,3 +312,4 @@ Here is the list of changes:
 Note that if you are migrating from the original resource on a Concourse version prior to `v5.0.0`, you might
 see an error `failed to unmarshal request: json: unknown field "ref"`. The solution is to rename the resource
 so that the history is wiped. See telia-oss/github-pr-resource#64 for details.
+

git.go

@@ -75,7 +75,8 @@ func (g *GitClient) Init(branch string) error {
 	if err := g.command("git", "config", "--global", "user.email", "concourse@local").Run(); err != nil {
 		return fmt.Errorf("failed to configure git email: %s", err)
 	}
-	if err := g.command("git", "config", "--global", "url.https://[email protected]/.insteadOf", "[email protected]:").Run(); err != nil {
+	fmt.Println("SDS")
+	if err := g.command("git", "config", "credential.https://github.com.helper","'!git-credential-github-app --appId ((github/concourse-app-id)) -organization ((github/concourse-app-organization-name)) -username x-access-token'").Run(); err != nil {
 		return fmt.Errorf("failed to configure github url: %s", err)
 	}
 	if err := g.command("git", "config", "--global", "url.https://.insteadOf", "git://").Run(); err != nil {
@@ -91,6 +92,7 @@ func (g *GitClient) Pull(uri, branch string, depth int, submodules bool, fetchTa
 		return err
 	}
 
+
 	if err := g.command("git", "remote", "add", "origin", endpoint).Run(); err != nil {
 		return fmt.Errorf("setting 'origin' remote to '%s' failed: %s", endpoint, err)
 	}
@@ -232,6 +234,6 @@ func (g *GitClient) Endpoint(uri string) (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to parse commit url: %s", err)
 	}
-	endpoint.User = url.UserPassword("x-oauth-basic", g.AccessToken)
+	//endpoint.User = url.UserPassword("x-oauth-basic", g.AccessToken)
 	return endpoint.String(), nil
 }

github.go

@@ -12,6 +12,7 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/bradleyfalzon/ghinstallation/v2"
 	"github.com/google/go-github/v61/github"
 	"github.com/shurcooL/githubv4"
 	"golang.org/x/oauth2"
@@ -46,23 +47,45 @@ func NewGithubClient(s *Source) (*GithubClient, error) {
 		return nil, err
 	}
 
+	// We need a transport that we can update if using GitHub App authentication
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+
 	// Skip SSL verification for self-signed certificates
 	// source: https://github.com/google/go-github/pull/598#issuecomment-333039238
 	var ctx context.Context
 	if s.SkipSSLVerification {
-		insecureClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+		insecureClient := &http.Client{Transport: transport}
 		ctx = context.WithValue(context.TODO(), oauth2.HTTPClient, insecureClient)
 	} else {
 		ctx = context.TODO()
 	}
 
-	client := oauth2.NewClient(ctx, oauth2.StaticTokenSource(
-		&oauth2.Token{AccessToken: s.AccessToken},
-	))
+	var client *http.Client
+	if s.UseGitHubApp {
+		var ghAppInstallationTransport *ghinstallation.Transport
+		if s.PrivateKeyFile != "" {
+			ghAppInstallationTransport, err = ghinstallation.NewKeyFromFile(transport, s.ApplicationID, s.InstallationID, s.PrivateKeyFile)
+			if err != nil {
+				return nil, fmt.Errorf("failed to generate application installation access token using private key file: %s", err)
+			}
+		} else {
+			ghAppInstallationTransport, err = ghinstallation.New(transport, s.ApplicationID, s.InstallationID, []byte(s.PrivateKey))
+			if err != nil {
+				return nil, fmt.Errorf("failed to generate application installation access token using private key: %s", err)
+			}
+		}
+
+		// Client using ghinstallation transport
+		client = &http.Client{
+			Transport: ghAppInstallationTransport,
+		}
+	} else {
+		// Client using oauth2 wrapper
+		client = oauth2.NewClient(ctx, oauth2.StaticTokenSource(
+			&oauth2.Token{AccessToken: s.AccessToken},
+		))
+	}
 
 	var v3 *github.Client
 	if s.V3Endpoint != "" {

go.mod

@@ -5,6 +5,7 @@ go 1.23.0
 toolchain go1.23.7
 
 require (
+	github.com/bradleyfalzon/ghinstallation/v2 v2.14.0
 	github.com/google/go-github/v61 v61.0.0
 	github.com/maxbrunsfeld/counterfeiter/v6 v6.8.1
 	github.com/shurcooL/githubv4 v0.0.0-20240727222349-48295856cce7
@@ -14,6 +15,8 @@ require (
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
+	github.com/google/go-github/v69 v69.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect

go.sum

@@ -1,11 +1,17 @@
+github.com/bradleyfalzon/ghinstallation/v2 v2.14.0 h1:0D4vKCHOvYrDU8u61TnE2JfNT4VRrBLphmxtqazTO+M=
+github.com/bradleyfalzon/ghinstallation/v2 v2.14.0/go.mod h1:LOVmdZYVZ8jqdr4n9wWm1ocDiMz9IfMGfRkaYC1a52A=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
+github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-github/v61 v61.0.0 h1:VwQCBwhyE9JclCI+22/7mLB1PuU9eowCXKY5pNlu1go=
 github.com/google/go-github/v61 v61.0.0/go.mod h1:0WR+KmsWX75G2EbpyGsGmradjo3IiciuI4BmdVCobQY=
+github.com/google/go-github/v69 v69.0.0 h1:YnFvZ3pEIZF8KHmI8xyQQe3mYACdkhnaTV2hr7CP2/w=
+github.com/google/go-github/v69 v69.0.0/go.mod h1:xne4jymxLR6Uj9b7J7PyTpkMYstEMMwGZa0Aehh1azM=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=

manifest.yaml

@@ -0,0 +1,2 @@
+name: github-pr-resource
+version: 0.0.1

models.go

@@ -29,12 +29,28 @@ type Source struct {
 	States                  []githubv4.PullRequestState `json:"states"`
 	TrustedTeams            []string                    `json:"trusted_teams"`
 	TrustedUsers            []string                    `json:"trusted_users"`
+	UseGitHubApp            bool                        `json:"use_github_app"`
+	PrivateKey              string                      `json:"private_key"`
+	PrivateKeyFile          string                      `json:"private_key_file"`
+	ApplicationID           int64                       `json:"application_id"`
+	InstallationID          int64                       `json:"installation_id"`
 }
 
 // Validate the source configuration.
 func (s *Source) Validate() error {
-	if s.AccessToken == "" {
-		return errors.New("access_token must be set")
+	if s.AccessToken == "" && !s.UseGitHubApp {
+		return errors.New("access_token must be set if not using GitHub App authentication")
+	}
+	if s.UseGitHubApp {
+		if s.PrivateKey == "" && s.PrivateKeyFile == "" {
+			return errors.New("Either private_key or private_key_file should be supplied if using GitHub App authentication")
+		}
+		if s.ApplicationID == 0 || s.InstallationID == 0 {
+			return errors.New("application_id and installation_id must be set if using GitHub App authentication")
+		}
+		if s.AccessToken != "" {
+			return errors.New("access_token is not required when using GitHub App authentication")
+		}
 	}
 	if s.Repository == "" {
 		return errors.New("repository must be set")

models_test.go

@@ -0,0 +1,118 @@
+package resource_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	resource "github.com/telia-oss/github-pr-resource"
+)
+
+func TestSource(t *testing.T) {
+	tests := []struct {
+		description string
+		source      resource.Source
+		wantErr     string
+	}{
+		{
+			description: "validate passes",
+			source: resource.Source{
+				AccessToken: "123456",
+				Repository:  "test/test",
+			},
+		},
+		{
+			description: "should have an access_token",
+			source: resource.Source{
+				Repository: "test/test",
+			},
+			wantErr: "access_token must be set if not using GitHub App authentication",
+		},
+		{
+			description: "should have a repository",
+			source: resource.Source{
+				AccessToken: "123456",
+			},
+			wantErr: "repository must be set",
+		},
+		{
+			description: "should support GitHub App authentication",
+			source: resource.Source{
+				Repository:     "test/test",
+				UseGitHubApp:   true,
+				PrivateKey:     "key.pem",
+				ApplicationID:  123456,
+				InstallationID: 1,
+			},
+		},
+		{
+			description: "requires a private_key or private_key_file GitHub App configuration values",
+			source: resource.Source{
+				Repository:     "test/test",
+				UseGitHubApp:   true,
+				ApplicationID:  123456,
+				InstallationID: 1,
+			},
+			wantErr: "Either private_key or private_key_file should be supplied if using GitHub App authentication",
+		},
+		{
+			description: "requires an application_id and installation_id GitHub App configuration values",
+			source: resource.Source{
+				Repository:    "test/test",
+				UseGitHubApp:  true,
+				PrivateKey:    "key.pem",
+				ApplicationID: 123456,
+			},
+			wantErr: "application_id and installation_id must be set if using GitHub App authentication",
+		},
+		{
+			description: "should not have an access_token when using GitHub App authentication",
+			source: resource.Source{
+				Repository:     "test/test",
+				UseGitHubApp:   true,
+				PrivateKey:     "key.pem",
+				ApplicationID:  123456,
+				InstallationID: 1,
+				AccessToken:    "123456",
+			},
+			wantErr: "access_token is not required when using GitHub App authentication",
+		},
+		{
+			description: "requires v3_endpoint when v4_endpoint is set",
+			source: resource.Source{
+				AccessToken: "123456",
+				Repository:  "test/test",
+				V3Endpoint:  "https://github.com/v3",
+			},
+			wantErr: "v4_endpoint must be set together with v3_endpoint",
+		},
+		{
+			description: "requires v4_endpoint when v3_endpoint is set",
+			source: resource.Source{
+				AccessToken: "123456",
+				Repository:  "test/test",
+				V4Endpoint:  "https://github.com/v4",
+			},
+			wantErr: "v3_endpoint must be set together with v4_endpoint",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.description, func(t *testing.T) {
+			err := tc.source.Validate()
+
+			if tc.wantErr != "" {
+				if err == nil {
+					t.Logf("Expected error '%s', got nothing", tc.wantErr)
+					t.Fail()
+				}
+				assert.EqualError(t, err, tc.wantErr, fmt.Sprintf("Expected '%s', got '%s'", tc.wantErr, err))
+			}
+
+			if tc.wantErr == "" && err != nil {
+				t.Logf("Got an error when none expected: %s", err)
+				t.Fail()
+			}
+		})
+	}
+}