Github App Authentication Support

[marcelobartsch-jt]

Summary

for github artifacts would be nice to support github app authentication , as it simple to manage access to repositories than using personal access token.

What change needs making?

Implement github jwt authentication for application in workflow/artifacts/git/git.go , "github.com/bradleyfalzon/ghinstallation" is suppose to provide the helpers to do it simply, also new parameters to the 'git' artifact will be needed as 'Private Pem Key', 'Application Id' and 'Installation Id'

Use Cases

When manage a huge number of repos from different teams is simpler to use github app to allow access from the workflow or CI/CD platform to the repos than using Personal Access Tokens, this way , is less human interaction needed

When would you use this?

to checkout code from private github repos

Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.

[marcelobartsch-jt]

I have created a branch in a fork, it is not well done, but is working https://github.com/marcelobartsch/argo-workflows/tree/github-apps it is based against release-3.0 as was the version I was using at the moment

[marcelobartsch-jt]

sample workflow

# This example demonstrates the use of a git repo as a hard-wired input artifact.
# The argo repo is cloned to its target destination at '/src' for the main container to consume.
apiVersion: argoproj.io/v1alpha1
kind: WorkflowTemplate
metadata:
  name: git-checkout-v3
spec:
  serviceAccountName: argo
  arguments:
    parameters:
      - name: project
        value: hermes
      - name: branch
        value: master
  templates:
    - name: git-clone
      inputs:
        parameters:
          - name: project
          - name: branch
        artifacts:
          - name: argo-source
            path: /src
            git:
              repo: "https://github.com/myorganization/{{ inputs.parameters.project }}.git"
              revision: "{{ inputs.parameters.branch }}"
              applicationIdSecret:
                name: github-app-access-token
                key: appId
              installationIdSecret:
                name: github-app-access-token
                key: installId
              applicationKeySecret:
                name: github-app-access-token
                key: key2
      container:
        image: hseeberger/scala-sbt:11.0.12_1.5.5_2.13.6
        command: [sh, -c]
        args: ["sbt build"]
        workingDir: /src

[crenshaw-dev]

I like the idea of bot access... but as an aside, I think deploy keys are another access option besides personal access tokens.

[marcelobartsch-jt]

the problem with deploy keys and access token, is that you need to go repositoty by repository granting access, making a bit problematic, (we manage 600 repositories owned by many people in github, some on holidays when we needed to added to our CI/CD infrastructure) with Github App, we don't need them to connect, we just allow the application to access the repo in the organization and it is done, also the number of request allowed on github is higher on apps than PAT or deployment keys (latest I'm not that sure)

[joebowbeer]

GitHub App access has been supported in ArgoCD and Argo Events since 2021.

It is the preferred way to grant access to GitHub repos and should be supported by Argo Workflows for the git input artifacts.

[MueR]

I'd like to upvote this one. Using PATs isn't a viable solution.