Replace GitHub PAT authentication with GitHub App

Personal Access Tokens are bound to a GitHub user, which doesn't work
for teams. And when the workflow fails, that GitHub user gets notified.

Using a GitHub App to authenticate makes it easier for teams to manage
access.

The unit test has been upgraded to a full integration test, that uses
a GitHub App to test. Faking the new authentication process makes the
unit test useless. Having a full integration tests hopefully helps, and
won't have to much false positives.

Author: martijngastkemper

.github/workflows/run-tests.yaml

@@ -10,33 +10,16 @@ jobs:
       fail-fast: true
       matrix:
         os: [ubuntu-latest]
-        laravel: [8.*, 9.*, 10.*, 11.*]
-        php: [8.0, 8.1, 8.2, 8.3]
+        laravel: [10.*, 11.*]
+        php: [8.2, 8.3, 8.4]
         dependency-version: [prefer-stable]
         include:
-          - laravel: 8.*
-            testbench: 6.*
-            phpunit: 9.*
-          - laravel: 9.*
-            testbench: 7.*
-            phpunit: 9.*
           - laravel: 10.*
             testbench: 8.*
             phpunit: 9.*
           - laravel: 11.*
             testbench: 9.*
             phpunit: 10.*
-        exclude:
-          - laravel: 8.*
-            php: 8.2
-          - laravel: 8.*
-            php: 8.3
-          - laravel: 10.*
-            php: 8.0
-          - laravel: 11.*
-            php: 8.0
-          - laravel: 11.*
-            php: 8.1
     name: PHP ${{ matrix.php }} - Laravel ${{ matrix.laravel }}
 
     steps:
@@ -45,6 +28,7 @@ jobs:
       - uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php }}
+          coverage: none
 
       - name: Get Composer Cache Directory
         id: composer-cache
@@ -69,3 +53,5 @@ jobs:
 
       - name: Run PHP tests
         run: vendor/bin/phpunit
+        env:
+          NOVA_PUBLISH_PRIVATE_KEY: ${{ secrets.NOVA_PUBLISH_PRIVATE_KEY }}

.gitignore

@@ -1,3 +1,4 @@
+/.env
 /.idea
 /vendor
 /node_modules

CHANGELOG.md

@@ -1,17 +1,28 @@
 # CHANGELOG
 
-## V2.0.2
+## 3.0.0
+
+- Add support for GitHub Apps
+- Drop support for PHP 8.0 and 8.1
+- Drop support for Laravel 8 and 9
+- Drop support for GitHub Personal Access Tokens
+
+Run `php artisan vendor:publish --tag=publish-config` to publish the new configuration file.
+
+See "GitHub credentials" in README.md for information about creating a GitHub Apps.
+
+## 2.0.2
 
 - Fix cms navigation bug
 
-## V2.0.1
+## 2.0.1
 
 - Add event for when publication was started
 
-## V2.0.0
+## 2.0.0
 
 - Nova 4 added as dependency. The tool is now compatible with Nova 4.
 
-## V1.0.0
+## 1.0.0
 
 - Initial version for Nova 3.

README.md

@@ -24,8 +24,8 @@
 
 [Return To Top](#nova-publish)
 
-- PHP 8.0, 8.1, 8.2
-- Laravel 8, 9, 10
+- PHP 8.2, 8.3, 8.4
+- Laravel 9, 10
 - Nova 4
 
 ## Installation
@@ -66,34 +66,44 @@ Publish configuration
 php artisan vendor:publish --provider="Publish\ToolServiceProvider"
 ```
 
-Configure GitHub credentials, set the path to the workflow file and configure an application version.
+Configure [GitHub credentials](#github-credentials), set the name of workflow file and configure an application version.
 
 =======
 
 ## Local development
 
-Run `npm run dev` to watch for changes in the `resources/js` directory.
+Run `yarn run dev` to watch for changes in the `resources/js` directory.
 
 Use the local checkout in a project that uses this plugin. [The Composer documentation explains how to do this.](https://getcomposer.org/doc/05-repositories.md#path)
 
-## i18n
+To run the tests you need a Nova License and a GitHub App with access to your repository. It will use the workflow `test-workflow.yml` to do integration tests.
 
-To add a language or change an existing translation, please read the [Laravel documentation about overriding package language files](https://laravel.com/docs/10.x/localization#overriding-package-language-files).
+Create `/.env` file with the following content:
+
+```dotenv
+NOVA_PUBLISH_PRIVATE_KEY="your GitHub App private key"
+NOVA_PUBLISH_APPLICATION_ID="your GitHub App ID"
+NOVA_PUBLISH_OWNER="your GitHub owner"
+NOVA_PUBLISH_REPOSITORY="your GitHub repository"
+```
 
-## GitHub API credentials
+## i18n
 
-Personal Access Tokens (PATs) are currently the only way to access the GitHub API. The token is created by a GitHub user. So when this user is removed from the GitHub organization the token must be recreated by another user. Not ideal, so there is room for improvement.
+To add a language or change an existing translation, please read the [Laravel documentation about overriding package language files](https://laravel.com/docs/10.x/localization#overriding-package-language-files).
 
-Create a Personal Access Token: https://github.com/settings/tokens
+## GitHub credentials
 
-- Note: the name of the project
-- Expiration: No expiration (or you have to replace the token every time it expires)
-- Scopes: "repo" and "workflow"
+You need a GitHub Apps to use this tool. The application must have access to the repository where the workflow is located.
 
-Add the created token as environment variable `PUBLISH_GITHUB_PERSONAL_ACCESS_TOKEN`.
+[About creating GitHub Apps](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps).
 
-You GitHub username must be stored in `PUBLISH_GITHUB_USERNAME`.
+Use the application ID and private key in `config/publish.php`.
 
 ## Contribute
 
 You need a Nova license to run the tests.
+
+## Release new version
+
+- Run `yarn run prod` to build the assets, and commit the changes
+- Add the new version to `CHANGELOG.md`

composer.json

@@ -13,7 +13,8 @@
   ],
   "license": "MIT",
   "require": {
-    "php": "^8.0|^8.1|^8.2|^8.3",
+    "php": "^8.2|^8.3|^8.4",
+    "ext-openssl": "*",
     "guzzlehttp/guzzle": "^7.3",
     "laravel/nova": "^4.0"
   },

config/publish.php

@@ -3,18 +3,26 @@
 return [
     /*
     |--------------------------------------------------------------------------
-    | GitHub credentials
+    | GitHub App credentials
     |--------------------------------------------------------------------------
     |
     | Publish uses these credentials to connect to the GitHub API. The token
     | needs the "repo" and "workflow" scope.
     |
     */
 
-    "github_username" => env("PUBLISH_GITHUB_USERNAME"),
-    "github_personal_access_token" => env(
-        "PUBLISH_GITHUB_PERSONAL_ACCESS_TOKEN"
-    ),
+    "application_id" => env("NOVA_PUBLISH_APPLICATION_ID"),
+    "private_key" => env("NOVA_PUBLISH_PRIVATE_KEY"),
+
+    /*
+    |--------------------------------------------------------------------------
+    | GitHub repository information
+    |--------------------------------------------------------------------------
+    |
+    */
+
+    "owner" => env("NOVA_PUBLISH_OWNER", "norday-agency"),
+    "repository" => env("NOVA_PUBLISH_REPOSITORY"),
 
     /*
     |--------------------------------------------------------------------------
@@ -28,7 +36,7 @@
     | https://api.github.com/repos/grrr-amsterdam/nova-publish/actions/workflows/my-workflow_dispatch-workflow.yml
     |
     */
-    "workflow_path" => "https://api.github.com/path/to/workflow.yml",
+    "workflow" => env("NOVA_PUBLISH_WORKFLOW"),
 
     /*
     |--------------------------------------------------------------------------