Enhance Bootstrapping Procedure for new Octo STS Backend

[dnlfdz]

Background

Today the bootstrapping process requires:

• Create a GitHub App
• Generate Private Key
• Manually Place into KMS

The key import process is currently a bit cumbersome.

Proposed Enhancement

GitHub documentation outlines a way to do it referred to as App Manifest Flow. A GitHub App manifest is a way to share a preconfigured GitHub App registration with other users. The manifest flow allows someone to quickly register a GitHub App.

Other References: https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-a-github-app-from-a-manifest

P.S Idea from @fproulx in discussion with @mattmoor and @dnlfdz on 2024-05-06

[fproulx-boostsecurity]

Yeah the way I see it is that the app is initially in pending setup mode and you visit a page like https://sts.example.com/setup/UUID and you get this URL in the log of the app when it starts so that not anyone can hook to that web flow. Simple web flow allows one with Org owner permissions in their browser to complete the flow ending with the private key in KMS etc.