GitHub App Authentication

[GrantBirki]

GitHub App Authentication (starter)

This pull request adds the very base logic to this library to authenticate a GitHub app.

Example

Now you can run:

require "octokit"
require "jwt"
require "openssl"

# A helper function for encoding JWTs
# :param client_id [String] the client ID of the GitHub App
# :param private_key_path [String] the path to the private key file for the GitHub App
# :return [String] the encoded JWT
def encode(client_id : String, private_key_path : String) : String
  private_pem = File.read(private_key_path)
  private_key = OpenSSL::PKey::RSA.new(private_pem).to_pem

  payload = {
    "iss" => client_id,
    "exp" => Time.utc.to_unix + (10 * 60), # 10 minutes from now
    "iat" => Time.utc.to_unix - 60,        # to account for clock drift
  }

  JWT.encode(payload, private_key, JWT::Algorithm::RS256)
end

jwt = encode("client_id_here", "./path/to/private-key.pem")

# Create a new Octokit Client using the jwt
github = Octokit.client(bearer_token: jwt)
github.auto_paginate = true
github.per_page = 100

options = {headers: {authorization: "Bearer #{github.bearer_token}"}}

installations = JSON.parse(github.find_installations(**options).records.to_json)

first_installation = installations[0]
installation_id = first_installation["id"].to_s.to_i

puts "First Installation ID: #{installation_id}"

token = github.create_app_installation_access_token(installation_id, **options)

puts "Token: #{token}"

Result:

$ crystal run tmp/test.cr
First Installation ID: 12345678
Token: {"token":"<redacted>","expires_at":"2024-07-30T22:38:50Z","permissions":{"contents":"read","issues":"write","metadata":"read"},"repository_selection":"selected"}

[GrantBirki]

@watzon let me know what you think here. This is by no means a full implementation of client/apps but its a start with a few working methods.