GitHub-App auth demo

Peter-Sh · Peter-Sh · commit 10ed156c4f03 · 2025-12-16T15:02:53.000+02:00
diff --git a/src/redis_release/cli.py b/src/redis_release/cli.py
@@ -321,5 +321,120 @@ def slack_bot(
     )
 
 
+@app.command()
+def test_github_app(
+    github_app_id: str = typer.Option(..., "--github-app-id", help="GitHub App ID"),
+    github_private_key_file: str = typer.Option(
+        ..., "--github-private-key-file", help="Path to GitHub App private key file"
+    ),
+    repo: str = typer.Option(
+        "redis/docker-library-redis",
+        "--repo",
+        help="Repository to test (default: redis/docker-library-redis)",
+    ),
+    workflow_file: str = typer.Option(
+        "release_build_and_test.yml",
+        "--workflow-file",
+        help="Workflow file to dispatch (default: release_build_and_test.yml)",
+    ),
+    workflow_ref: str = typer.Option(
+        "main", "--workflow-ref", help="Git ref to run workflow on (default: main)"
+    ),
+    workflow_inputs: Optional[str] = typer.Option(
+        None,
+        "--workflow-inputs",
+        help='Workflow inputs as JSON string (e.g., \'{"key": "value"}\')',
+    ),
+) -> None:
+    """[TEST] Test GitHub App authentication and workflow dispatch.
+
+    This command tests GitHub App authentication by:
+    1. Loading the private key from file
+    2. Generating a JWT token
+    3. Getting an installation token for the specified repository
+    4. Dispatching a workflow using the installation token
+
+    Example:
+        redis-release test-github-app \\
+            --github-app-id 123456 \\
+            --github-private-key-file /path/to/private-key.pem \\
+            --repo redis/docker-library-redis \\
+            --workflow-file release_build_and_test.yml \\
+            --workflow-ref main \\
+            --workflow-inputs '{"release_tag": "8.4-m01-int1"}'
+    """
+    setup_logging()
+
+    try:
+        import json
+
+        from .github_app_auth import GitHubAppAuth, load_private_key_from_file
+        from .github_client_async import GitHubClientAsync
+
+        # Load private key
+        logger.info(f"Loading private key from {github_private_key_file}")
+        private_key = load_private_key_from_file(github_private_key_file)
+        logger.info("[green]Private key loaded successfully[/green]")
+
+        # Create GitHub App auth helper
+        app_auth = GitHubAppAuth(app_id=github_app_id, private_key=private_key)
+
+        # Get installation token
+        logger.info(f"Getting installation token for repo: {repo}")
+
+        async def get_token_and_dispatch() -> None:
+            token = await app_auth.get_token_for_repo(repo)
+            if not token:
+                logger.error("[red]Failed to get installation token[/red]")
+                raise typer.Exit(1)
+
+            logger.info("[green]Successfully obtained installation token[/green]")
+            logger.info(f"Token (first 20 chars): {token[:20]}...")
+
+            # Parse workflow inputs
+            inputs = {}
+            if workflow_inputs:
+                try:
+                    inputs = json.loads(workflow_inputs)
+                    logger.info(f"Workflow inputs: {inputs}")
+                except json.JSONDecodeError as e:
+                    logger.error(f"[red]Invalid JSON in workflow inputs:[/red] {e}")
+                    raise typer.Exit(1)
+
+            # Create GitHub client with the installation token
+            github_client = GitHubClientAsync(token=token)
+
+            # Dispatch workflow
+            logger.info(
+                f"Dispatching workflow {workflow_file} on {repo} at ref {workflow_ref}"
+            )
+            try:
+                await github_client.trigger_workflow(
+                    repo=repo,
+                    workflow_file=workflow_file,
+                    inputs=inputs,
+                    ref=workflow_ref,
+                )
+                logger.info("[green]Workflow dispatched successfully![/green]")
+                logger.info(
+                    f"Check workflow runs at: https://github.com/{repo}/actions"
+                )
+            except Exception as e:
+                logger.error(f"[red]Failed to dispatch workflow:[/red] {e}")
+                raise typer.Exit(1)
+
+        # Run async function
+        asyncio.run(get_token_and_dispatch())
+
+    except FileNotFoundError:
+        logger.error(
+            f"[red]Private key file not found:[/red] {github_private_key_file}"
+        )
+        raise typer.Exit(1)
+    except Exception as e:
+        logger.error(f"[red]Unexpected error:[/red] {e}", exc_info=True)
+        raise typer.Exit(1)
+
+
 if __name__ == "__main__":
     app()
diff --git a/src/redis_release/github_app_auth.py b/src/redis_release/github_app_auth.py
@@ -0,0 +1,159 @@
+"""GitHub App authentication utilities."""
+
+import logging
+import time
+from typing import Optional
+
+import aiohttp
+import jwt
+
+logger = logging.getLogger(__name__)
+
+
+class GitHubAppAuth:
+    """GitHub App authentication helper."""
+
+    def __init__(self, app_id: str, private_key: str):
+        """Initialize GitHub App authentication.
+
+        Args:
+            app_id: GitHub App ID
+            private_key: GitHub App private key (PEM format)
+        """
+        self.app_id = app_id
+        self.private_key = private_key
+
+    def generate_jwt(self, expiration_seconds: int = 600) -> str:
+        """Generate a JWT for GitHub App authentication.
+
+        Args:
+            expiration_seconds: JWT expiration time in seconds (max 600)
+
+        Returns:
+            JWT token string
+        """
+        now = int(time.time())
+        payload = {
+            "iat": now
+            - 60,  # Issued at time (60 seconds in the past to account for clock drift)
+            "exp": now + expiration_seconds,  # Expiration time
+            "iss": self.app_id,  # Issuer (GitHub App ID)
+        }
+
+        # Generate JWT using RS256 algorithm
+        token = jwt.encode(payload, self.private_key, algorithm="RS256")
+        logger.debug(f"Generated JWT for GitHub App {self.app_id}")
+        return str(token)
+
+    async def get_installation_id(self, repo: str, jwt_token: str) -> Optional[int]:
+        """Get the installation ID for a repository.
+
+        Args:
+            repo: Repository name in format "owner/repo"
+            jwt_token: JWT token for authentication
+
+        Returns:
+            Installation ID or None if not found
+        """
+        url = f"https://api.github.com/repos/{repo}/installation"
+        headers = {
+            "Authorization": f"Bearer {jwt_token}",
+            "Accept": "application/vnd.github+json",
+            "X-GitHub-Api-Version": "2022-11-28",
+        }
+
+        async with aiohttp.ClientSession() as session:
+            async with session.get(url, headers=headers) as response:
+                if response.status == 200:
+                    data = await response.json()
+                    installation_id: Optional[int] = data.get("id")
+                    logger.info(
+                        f"Found installation ID {installation_id} for repo {repo}"
+                    )
+                    return installation_id
+                else:
+                    error_text = await response.text()
+                    logger.error(
+                        f"Failed to get installation ID for {repo}: HTTP {response.status}"
+                    )
+                    logger.error(f"Response: {error_text}")
+                    return None
+
+    async def get_installation_token(
+        self, installation_id: int, jwt_token: str
+    ) -> Optional[str]:
+        """Get an installation access token.
+
+        Args:
+            installation_id: GitHub App installation ID
+            jwt_token: JWT token for authentication
+
+        Returns:
+            Installation access token or None if failed
+        """
+        url = (
+            f"https://api.github.com/app/installations/{installation_id}/access_tokens"
+        )
+        headers = {
+            "Authorization": f"Bearer {jwt_token}",
+            "Accept": "application/vnd.github+json",
+            "X-GitHub-Api-Version": "2022-11-28",
+        }
+
+        async with aiohttp.ClientSession() as session:
+            async with session.post(url, headers=headers) as response:
+                if response.status == 201:
+                    data = await response.json()
+                    token: Optional[str] = data.get("token")
+                    expires_at = data.get("expires_at")
+                    logger.info(
+                        f"Generated installation token (expires at {expires_at})"
+                    )
+                    return token
+                else:
+                    error_text = await response.text()
+                    logger.error(
+                        f"Failed to get installation token: HTTP {response.status}"
+                    )
+                    logger.error(f"Response: {error_text}")
+                    return None
+
+    async def get_token_for_repo(self, repo: str) -> Optional[str]:
+        """Get an installation access token for a specific repository.
+
+        This is a convenience method that combines JWT generation, installation ID lookup,
+        and installation token generation.
+
+        Args:
+            repo: Repository name in format "owner/repo"
+
+        Returns:
+            Installation access token or None if failed
+        """
+        # Generate JWT
+        jwt_token = self.generate_jwt()
+
+        # Get installation ID
+        installation_id = await self.get_installation_id(repo, jwt_token)
+        if not installation_id:
+            return None
+
+        # Get installation token
+        return await self.get_installation_token(installation_id, jwt_token)
+
+
+def load_private_key_from_file(file_path: str) -> str:
+    """Load GitHub App private key from a file.
+
+    Args:
+        file_path: Path to the private key file
+
+    Returns:
+        Private key content as string
+
+    Raises:
+        FileNotFoundError: If the file doesn't exist
+        IOError: If the file can't be read
+    """
+    with open(file_path, "r") as f:
+        return f.read()
diff --git a/src/redis_release/github_client_async.py b/src/redis_release/github_client_async.py
@@ -242,7 +242,8 @@ async def trigger_workflow(
         logger.debug(f"[blue]Triggering workflow[/blue] {workflow_file} in {repo}")
         logger.debug(f"Inputs: {inputs}")
         logger.debug(f"Ref: {ref}")
-        logger.debug(f"Workflow UUID: [cyan]{inputs['workflow_uuid']}[/cyan]")
+        if "workflow_uuid" in inputs:
+            logger.debug(f"Workflow UUID: [cyan]{inputs['workflow_uuid']}[/cyan]")
 
         url = f"https://api.github.com/repos/{repo}/actions/workflows/{workflow_file}/dispatches"
         headers = {
