pact-foundation / pact_broker

Enables your consumer driven contracts workflow
http://pactflow.io
MIT License
708 stars 176 forks source link

Webhooks: trigger GitHub APIs using App Installation Tokens instead of PATs #690

Open canny[bot] opened 5 months ago

canny[bot] commented 5 months ago

To be able to use the GitHub App mechanism to trigger API endpoints for the webhooks you need to be enable to store the GitHub App's certificate in the pactflow broker. Besides the certificate also the GitHub App's identifier / installation id needs to be stored. Once the certificate is available, the following steps need to be consider for authentication:

1. Generate and sign a JWT token using the app's private key: https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app

This token is valid for maximum 10 minutes.

2. Use the JWT token from step 1 and create an installation token: https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation

$ curl -i -X POST -H "Authorization: Bearer YOUR_JWT" -H "Accept: application/vnd.github+json" https://api.github.com/app/installations/:installation_id/access_tokens

This Bearer Token is valid for 60 minutes

3. Call the webhook/GitHub API with the Bearer Token from step 2.

Thanks

https://pact.canny.io/admin/board/feature-requests/p/webhooks-trigger-github-apis-using-app-installation-tokens-instead-of-pats

canny[bot] commented 5 months ago

This issue has been linked to a Canny post: Webhooks: trigger GitHub APIs using App Installation Tokens instead of PATs :tada: