feat(github): GitHub App authentication#774
Closed
cbartz wants to merge 1 commit into
Closed
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds GitHub App–based authentication (in addition to PATs) to the charm and the embedded github-runner-manager, including Juju secret handling for the App private key and corresponding docs/tests.
Changes:
- Introduces
GitHubTokenAuth/GitHubAppAuthmodels and migratesGitHubConfigurationfromtokentoauth. - Extends charm config/state translation to validate mutually exclusive PAT vs App auth and fetch the App private key from a Juju secret.
- Updates unit/integration tests, documentation, changelog, and CI to cover GitHub App auth.
Reviewed changes
Copilot reviewed 28 out of 28 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/test_factories.py | Updates factory tests to use GitHubConfiguration(auth=...) and adds coverage for selecting auth model. |
| tests/unit/test_charm_state.py | Adds unit tests for PAT-only, App-only, partial App config, and invalid combinations. |
| tests/unit/test_charm.py | Expands config-changed flush/no-flush tests to include new GitHub App config options. |
| tests/unit/factories.py | Adds default values for new GitHub App config options in test factories. |
| tests/unit/conftest.py | Extends the complete_charm_state fixture with new auth-related fields. |
| src/factories.py | Plumbs auth selection into application configuration creation (GitHubConfiguration.auth). |
| src/charm_state.py | Implements PAT/App auth validation and secret lookup for the GitHub App private key; exposes GithubConfig.auth. |
| src/charm.py | Tracks new GitHub App config values in stored state and triggers flush on changes. |
| github-runner-manager/tox.ini | Allows passing GitHub App credential env vars into tox integration runs. |
| github-runner-manager/tests/unit/test_github_client.py | Updates client tests for new constructor and validates PyGithub auth initialization calls. |
| github-runner-manager/tests/unit/test_config.py | Updates config YAML shape and adds validation tests for auth models. |
| github-runner-manager/tests/unit/platform/test_github_provider.py | Ensures platform build uses GitHubConfiguration.auth to construct GithubClient. |
| github-runner-manager/tests/unit/platform/test_factory.py | Updates platform factory test to use GitHubConfiguration(auth=...). |
| github-runner-manager/tests/integration/test_github_app_auth.py | Adds integration test exercising JIT token retrieval via GitHub App auth. |
| github-runner-manager/tests/integration/factories.py | Updates integration config factory to emit github_config.auth.token structure. |
| github-runner-manager/tests/conftest.py | Adds pytest CLI options/env defaults for GitHub App integration credentials. |
| github-runner-manager/src/github_runner_manager/platform/github_provider.py | Switches platform build to pass github_configuration.auth into GithubClient. |
| github-runner-manager/src/github_runner_manager/github_client.py | Refactors GithubClient to accept GitHubAuth and build PyGithub auth accordingly. |
| github-runner-manager/src/github_runner_manager/configuration/github.py | Adds auth model types and replaces GitHubConfiguration.token with auth. |
| github-runner-manager/src/github_runner_manager/configuration/init.py | Exports new GitHub auth models/types from the configuration package. |
| github-runner-manager/pyproject.toml | Bumps github-runner-manager version to 0.18.0. |
| docs/reference/token-scopes.md | Documents GitHub App authentication and required permissions alongside PAT scopes. |
| docs/reference/charm-architecture.md | Updates architecture docs to reflect PAT or GitHub App credentials. |
| docs/how-to/change-token.md | Updates how-to to cover switching/rotating GitHub App auth as well as PATs. |
| docs/explanation/security.md | Updates security guidance to prefer GitHub App auth and Juju secret storage. |
| docs/changelog.md | Adds a user-facing changelog entry for GitHub App auth support. |
| charmcraft.yaml | Adds new charm config options for GitHub App auth and tidies whitespace. |
| .github/workflows/test_github_runner_manager.yaml | Adds the new GitHub App auth integration test module to the workflow matrix and passes additional secrets. |
cbartz
changed the title
Add GitHub App authentication as an alternative to PAT tokens. Includes configuration models, client changes, and tests.
cbartz
force-pushed
the
feat/github-app-auth
branch
from
ed77cc5 to
cfb5667
Compare
Collaborator
Author
|
closing this PR - decided to split functionality into two PR's |
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Applicable spec:
Overview
Add GitHub App authentication
Rationale
Juju Events Changes
Module Changes
Library Changes
Checklist
urgent,trivial,complex).github-runner-manager/pyproject.toml.