This PR adds new provider configuration parameters that mirror those in the app_auth block and make it possible to switch between token-based and app-based authentication via environment variables without altering existing provider configuration code. This allows flexibility of using a GitHub app for provider authentication when running in CI (or another automated environment like Atlantis), and using a personal access token when developing locally.
app_auth {} block is required for app-based provider authentication
it's not possible to switch between token-based and app-based authentication without modifying provider configuration code
After the change?
it's possible to use app-based authentication by setting GITHUB_APP_* env vars without an app_auth block in the code
same code can be used in different environments either with GITHUB_TOKEN or GITHUB_APP_* env vars
Example:
provider "github" {
owner = var.github_owner
}
if GITHUB_TOKEN is set, provider will pick it up
otherwise, if GITHUB_APP_* are set, provider will use app-based auth and generate an app installation token
Pull request checklist
[ ] Tests for the changes have been added (for bug fixes / features)
Some tests added, but need more work. See below for details ⬇️
[x] Docs have been reviewed and added / updated if needed (for bug fixes / features)
Does this introduce a breaking change?
[x] No
This was intended as a non-breaking change, so the app_auth block is kept and only new (redundant) parameters are added. Existing behavior is preserved.
Provider auth matrix
Here I want to show different configuration scenarios and outcomes before/after. The only new case is in the first line when the GITHUB_APP_* env vars are set but there's no app_auth block in the code: before it would be an error (app vars would be ignored), but now it works as an app-based configuration.
GITHUB_APP_*
GITHUB_TOKEN
app_auth {}
Before
After
✔
❌ error
🤖 app
new: no app_auth block needed
✔️
🔑 token
🔑 token
just token auth
✔
✔
🔑 token
🔑 token
prioritize token for compatibility
✔
✔
✔
🤖 app
🤖 app
prioritize app auth for compatibility
✔
✔
🤖 app
🤖 app
app_auth {} is redundant
✔
❌ error
❌ error
only app_auth {} with no values
Tests
I'm new to Go, so I need some help to write proper tests for this. I tried manual testing in examples/app_authentication and it worked.
I also added some tests in provider_test.go following the pattern of existing test cases. But in those tests parameters are set explicitly and I'm not sure how to test the behavior of picking up parameters from the environment variables (with an empty provider configuration).
I would love to add tests for all of the cases in the matrix above, but I don't know how to approach it code-wise. Guidance would be highly appreciated 🙏
Code review
The main code change in provider.go nested existing code in an if block, so it's much easier to see the actual change if you review it with whitespace changes ignored.
Resolves #1877
This PR adds new provider configuration parameters that mirror those in the
app_auth
block and make it possible to switch between token-based and app-based authentication via environment variables without altering existing provider configuration code. This allows flexibility of using a GitHub app for provider authentication when running in CI (or another automated environment like Atlantis), and using a personal access token when developing locally.Related:
app_auth
is not going anywhere)Before the change?
app_auth {}
block is required for app-based provider authenticationAfter the change?
GITHUB_APP_*
env vars without anapp_auth
block in the codeGITHUB_TOKEN
orGITHUB_APP_*
env varsExample:
GITHUB_TOKEN
is set, provider will pick it upGITHUB_APP_*
are set, provider will use app-based auth and generate an app installation tokenPull request checklist
Does this introduce a breaking change?
This was intended as a non-breaking change, so the
app_auth
block is kept and only new (redundant) parameters are added. Existing behavior is preserved.Provider auth matrix
Here I want to show different configuration scenarios and outcomes before/after. The only new case is in the first line when the
GITHUB_APP_*
env vars are set but there's noapp_auth
block in the code: before it would be an error (app vars would be ignored), but now it works as an app-based configuration.GITHUB_APP_*
GITHUB_TOKEN
app_auth {}
app_auth
block neededapp_auth {}
is redundantapp_auth {}
with no valuesTests
I'm new to Go, so I need some help to write proper tests for this. I tried manual testing in
examples/app_authentication
and it worked.I also added some tests in
provider_test.go
following the pattern of existing test cases. But in those tests parameters are set explicitly and I'm not sure how to test the behavior of picking up parameters from the environment variables (with an empty provider configuration).I would love to add tests for all of the cases in the matrix above, but I don't know how to approach it code-wise. Guidance would be highly appreciated 🙏
Code review
The main code change in
provider.go
nested existing code in an if block, so it's much easier to see the actual change if you review it with whitespace changes ignored.