Open trolit opened 2 years ago
what is your use case?
In short. I've played a bit with Probot framework first to addAssignees
, createComment
, createReviewComment
, createReview
under hooked pull request. Then I saw adapter-github
to run Probot app
via workflow and I've wanted to authenticate as an application to fullfil mentioned requests in the name of app (not via github-actions or any account associated with PAT).
I've managed to do so by passing installation token (generated from APP_ID
and PRIVATE_KEY
) under GITHUB_TOKEN
. I didn't create my own token generator logic. I've just tested one of the available solutions at GitHub.
jobs:
<job name>:
runs-on: ubuntu-latest
steps:
- uses: navikt/github-app-token-generator@v1
id: get-token
with:
private-key: ${{ secrets.PRIVATE_KEY }}
app-id: ${{ secrets.APP_ID }}
- uses: actions/checkout@v3
with:
repository: '<user>/<repository>'
ref: 'master'
- run: npm ci --only=production
- run: npm start
env:
GITHUB_TOKEN: ${{ steps.get-token.outputs.token }}
Therefore I've thought that I would share that because adapter-github-actions
README claims that:
You cannot authenticate as the app. [...] you cannot create new tokens [...]
which in my case was misleading. Well I could. I had to either [provide my own token generator logic] or [use one of the external solutions]. I've also tested it by installing GitHub App under private repository, adding APP_ID
and PRIVATE_KEY
to repository secrets and passing them to GitHub Actions workflow. Every mentioned action from the first sentence (addAssignees
, createComment
, createReviewComment
, createReview
) did work as expected.
When sharing that I've also thought that maybe it would be also beneficial when someone uses more than single workflow that generates content under issues/pull requests and prefers to see where certain parts are coming from and to not use PAT at the same time.
PS: If I've misunderstood something then close the issue 👍
Thanks for sharing your use case. Using a separate action to create an installation access token is how I'd use this action as well. But we can explore allowing to authenticate using app ID / private key instead. We can get the installation ID based on the owner of the current repository.
Would you like to see how that could work and start a PR?
We can get the installation ID based on the owner of the current repository.
Sounds promising 👍
Would you like to see how that could work and start a PR?
Not really. Certainly not anytime soon. Please do with issue (or "feature request"?) whatever you decide.
Hello,
thanks for the adapter, it works pretty well. I know that in the docs it is mentioned that:
however I wonder if it really wouldn't be possible to enhance adapter (or create extra add-on to it) and allow to pass
APP_ID
,PRIVATE_KEY
via env instead ofGITHUB_TOKEN
which would generate app installation token first and then use it in requests?There are some solutions that offer such thing. I've tested navikt/github-app-token-generator@v1 and it allowed me to authenticate as app. You can check that it worked here. It used following workflow.
It would be awesome if Probot's supported it (authetication via app installation token) internally 🙏