GitHub: add support for GitHub App installation access tokensย #15
Description
metastore-lib is likely to be installed as a GitHub App for many users. For this reason, we should probably do better to support GitHub App Installation access tokens out of the box.
This requires supporting a more complex flow than just "give me a token and go" which is good for personal access tokens. This flow is currently not supported by PyGitHub so we need to implement it ourselves and just pass the resulting access token to PyGitHub:
Acceptance Criteria
- metastore-lib can take app ID and PEM key as credendtials
- metastore-lib uses app ID and PEM key to generate GitHub auth tokens and use them for token based authentication
- It is transparent to users when tokens are re-used or refreshed; Tokens are cached and only regenerated when needed, so performance impact is minimal.
- GitHub App authentication method is added to project docs
Technical Flow of authenticating as an app
- User has to install the app and get a private key as a PEM file
- metastore-lib needs an app ID and the PEM key
- metastore-lib generates a JWT token as described here: https://docs.github.com/en/developers/apps/authenticating-with-github-apps#authenticating-as-a-github-app
- metastore-lib uses said JWT token to obtain an installation access token as described here: https://docs.github.com/en/developers/apps/authenticating-with-github-apps#authenticating-as-an-installation
- Once auth token is obtained it can be used with PyGithub
- Cache access token for up to 1 hour (exp time should be provided with token, it would be wise to take a minute of grace to allow for clock drift etc.)
- Once token is expired / not available, go back to step 3