Rather than the PAT (personal access token) linked to my account, switch to using this flow meant for the Github "app" capability.
For testing I configured an app in Github and granted it the required permissions on one of my personal repositories. I generated a private key for it and used the client id and installation id metadata to test the flow implemented in the code.
In the code there is a change to read the private key rather than the PAT, and this has been parameterised instead of hardcoded. The client and installation ids are also passed in are used in conjunction with the private key to generate a JWT, which is then used to fetch a short-lived token. That token can then be used in the same way as the PAT.
I have also modified the cloudbuild file, a new secret will have to be made and the given parameters added to the build. Finally there is a separate PR for the build-tools container to add the required JWT library to the Python environment.
This exact code has not been tested but a pretty close analogue has been against my personal Github from my PC. I expect to find some little problems when I actually install it in production on the hmftools repository.
Rather than the PAT (personal access token) linked to my account, switch to using this flow meant for the Github "app" capability.
For testing I configured an app in Github and granted it the required permissions on one of my personal repositories. I generated a private key for it and used the client id and installation id metadata to test the flow implemented in the code.
In the code there is a change to read the private key rather than the PAT, and this has been parameterised instead of hardcoded. The client and installation ids are also passed in are used in conjunction with the private key to generate a JWT, which is then used to fetch a short-lived token. That token can then be used in the same way as the PAT.
I have also modified the cloudbuild file, a new secret will have to be made and the given parameters added to the build. Finally there is a separate PR for the build-tools container to add the required JWT library to the Python environment.
This exact code has not been tested but a pretty close analogue has been against my personal Github from my PC. I expect to find some little problems when I actually install it in production on the hmftools repository.