search

lilydjwg / nvchecker

New version checker for software releases
MIT License
438 stars 70 forks source link

Add support to authenticate via a Github App #134

Closed KarstenSiemer closed 4 years ago

KarstenSiemer commented 4 years ago

Hey! Because of ratelimit and compliance reasons it would be great to be able to authenticate via an Github App. Here is documented how to do it. But there is already a project that implemented how to do this. It is github3.py. I'd add a key and environment variable like 'NVCHECKER_GITHUB_APP_ID' & 'NVCHECKER_GITHUB_PRIVATE_KEY_PEM' & 'NVCHECKER_GITHUB_INSTALLATION_ID'. If these are set, the method login_as_app_installation would be used to get a token. When we got the token, we'd continue as usual.

What do you think about this? Is there a chance to get this merged if I submit a PR?

lilydjwg commented 4 years ago

What's the difference between an GitHub App and a personal access token when used in nvchecker?

There is one problem with github3.py: it's synchronous.

Is there a chance to get this merged if I submit a PR?

I'm rewriting the whole project (on branch nvchecker2) so feature pull requests should be postponed. Also, configuration via environment variables will be replaced by a separate keyfile.

KarstenSiemer commented 4 years ago

personal access token aren't anonymous - they are attached to a "technical" user (or just call them bots). Here in germany your company can get a confidentiality certification so that you can boast to your customer with your hardened system. Some of these certifications disallow such users and need you do more dynamic authentication with tokens that can expire. Also Github Apps have dynamic ratelimiting, the bigger your organisation; the higher ratelimit you get. We are trying to implement Github Apps everywhere possible but are left with a few bot accounts since they only get a ratelimit of 5000, which quite frankly is far from enough for us. And I do feel like that there is a trend towards Github Apps. They exist for some time now and they get more and more implemented. Some implementations are quite stable some are sadly not very reliable. And I can understand why, there is quite some logic needed to cache these tokens until they run out. The personal access tokens are far easier to implement.

lilydjwg commented 4 years ago

I see. Thanks for the explanation.

I'll accept a PR against nvchecker version 2 after the rewrite is done.

KarstenSiemer commented 4 years ago

Ok, then I'll close for now. Thanks

lilydjwg commented 4 years ago

The version 2 is mostly done and documentation available at https://nvchecker.readthedocs.io/en/latest/.