Allow to authenticate as the app via app installation token?

[trolit]

Hello,

thanks for the adapter, it works pretty well. I know that in the docs it is mentioned that:

You cannot authenticate as the app.

[..] you cannot create new tokens or renew the provided one. [...] You could provide a personal access token instead of secrets.GITHUB_TOKEN to workaround the limits of a repository-scoped token, but be sure you know what you are doing.

however I wonder if it really wouldn't be possible to enhance adapter (or create extra add-on to it) and allow to pass APP_ID, PRIVATE_KEY via env instead of GITHUB_TOKEN which would generate app installation token first and then use it in requests?

There are some solutions that offer such thing. I've tested navikt/github-app-token-generator@v1 and it allowed me to authenticate as app. You can check that it worked here. It used following workflow.

It would be awesome if Probot's supported it (authetication via app installation token) internally 🙏

[gr2m]

what is your use case?

[trolit]

In short. I've played a bit with Probot framework first to addAssignees, createComment, createReviewComment, createReview under hooked pull request. Then I saw adapter-github to run Probot app via workflow and I've wanted to authenticate as an application to fullfil mentioned requests in the name of app (not via github-actions or any account associated with PAT).

I've managed to do so by passing installation token (generated from APP_ID and PRIVATE_KEY) under GITHUB_TOKEN. I didn't create my own token generator logic. I've just tested one of the available solutions at GitHub.

jobs:
   <job name>:
       runs-on: ubuntu-latest
       steps:
           - uses: navikt/github-app-token-generator@v1
             id: get-token
             with:
                 private-key: ${{ secrets.PRIVATE_KEY }}
                 app-id: ${{ secrets.APP_ID }}

           - uses: actions/checkout@v3
             with:
                 repository: '<user>/<repository>'
                 ref: 'master'

           - run: npm ci --only=production

           - run: npm start
             env:
                 GITHUB_TOKEN: ${{ steps.get-token.outputs.token }}

Therefore I've thought that I would share that because adapter-github-actions README claims that:

You cannot authenticate as the app. [...] you cannot create new tokens [...]

which in my case was misleading. Well I could. I had to either [provide my own token generator logic] or [use one of the external solutions]. I've also tested it by installing GitHub App under private repository, adding APP_ID and PRIVATE_KEY to repository secrets and passing them to GitHub Actions workflow. Every mentioned action from the first sentence (addAssignees, createComment, createReviewComment, createReview) did work as expected.

When sharing that I've also thought that maybe it would be also beneficial when someone uses more than single workflow that generates content under issues/pull requests and prefers to see where certain parts are coming from and to not use PAT at the same time.

PS: If I've misunderstood something then close the issue 👍

[gr2m]

Thanks for sharing your use case. Using a separate action to create an installation access token is how I'd use this action as well. But we can explore allowing to authenticate using app ID / private key instead. We can get the installation ID based on the owner of the current repository.

Would you like to see how that could work and start a PR?

[trolit]

We can get the installation ID based on the owner of the current repository.

Sounds promising 👍

Would you like to see how that could work and start a PR?

Not really. Certainly not anytime soon. Please do with issue (or "feature request"?) whatever you decide.