Support Github app

[armenzg]

The app is currently set up to use a Github webhook and a token.

Currently, the app can be set up with:

• hooks on each repo OR creating a hook at the org level
• personal access token OR a token from a bot

The usage of the tokens from either option has the security risk of the token being stolen from the app. Using a Github app approach increases the security and allows external customers to easily install it on their Github orgs. The Github app can request webhook access and security permissions (read from workflows APIs for public and private repos).

[armenzg]

Under my new org I followed these steps to create a new app.

-> https://github.com/organizations/armenzg-dev/settings/apps

I've given it Actions permissions (read-only):

I've set a Webhook URL (to our current deployment) and a secret:

Because of the given permission I need to select a subset. I've chosen "Workflow job" because I already have it working with it.

For now, I have restricted it to this account:

I do not know if any of these need to be set:

[armenzg]

I'm asked to generate a private key for the app

It seems the private key gets downloaded to my machine.

From the docs:

To authenticate as a GitHub App, generate a private key in PEM format and download it to your local machine. You'll use this key to sign a JSON Web Token (JWT) and encode it using the RS256 algorithm. GitHub checks that the request is authenticated by verifying the token with the app's stored public key.

[armenzg]

I've installed it to the org:

[armenzg]

Landed code for this: https://github.com/getsentry/sentry-github-actions-app/pull/32

[armenzg]

I need to transfer the org to getsentry and enable the Github App mode by adding the GH_APP_ID as env variable.

[armenzg]

This got done ages ago.