Merge pull request #16 from octokit-cr/github-app-auth

GitHub App Authentication

Author: GrantBirki

examples/github_app_authentication/auth.cr

@@ -0,0 +1,29 @@
+require "../../src/octokit"
+require "./github_app_auth"
+
+class AuthenticationError < Exception
+end
+
+module GitHubAuthentication
+  def self.login(client : Octokit::Client? = nil)
+    if client
+      puts "using pre-provided client"
+      return client
+    end
+
+    if ENV["GITHUB_APP_ID"]? && ENV["GITHUB_APP_INSTALLATION_ID"]? && ENV["GITHUB_APP_PRIVATE_KEY"]?
+      puts "using github app authentication"
+      return GitHubApp.new
+    end
+
+    if token = ENV["GITHUB_TOKEN"]?
+      puts "using github token authentication"
+      octokit = Octokit.client(access_token: token)
+      octokit.auto_paginate = true
+      octokit.per_page = 100
+      return octokit
+    end
+
+    raise AuthenticationError.new("No valid GitHub authentication method was provided")
+  end
+end

examples/github_app_authentication/github_app_auth.cr

@@ -0,0 +1,87 @@
+# This class provides a wrapper around the Octokit client for GitHub App authentication.
+# It handles token generation and refreshing, and delegates method calls to the Octokit client.
+# Helpful: https://github.com/octokit/handbook?tab=readme-ov-file#github-app-authentication-json-web-token
+#
+# Usage (examples):
+# github = GitHubApp.new
+# github.get "/meta"
+# github.get "/repos/<org>/<repo>"
+# github.user "grantbirki"
+
+# Why? In some cases, you may not want to have a static long lived token like a GitHub PAT when authenticating...
+# Most importantly, this class will handle automatic token refreshing for you out-of-the-box. Simply provide the...
+# correct environment variables, call `GitHubApp.new`, and then use the returned object as you would an Octokit client.
+
+require "../../src/octokit"
+require "jwt"
+require "openssl"
+require "json"
+
+class GitHubApp
+  TOKEN_EXPIRATION_TIME = 2700 # 45 minutes
+  JWT_EXPIRATION_TIME   =  600 # 10 minutes
+
+  @client : Octokit::Client
+  @app_id : Int32
+  @installation_id : Int32
+  @app_key : String
+
+  def initialize
+    @app_id = fetch_env_var("GITHUB_APP_ID").to_i
+    @installation_id = fetch_env_var("GITHUB_APP_INSTALLATION_ID").to_i
+    @app_key = fetch_env_var("GITHUB_APP_PRIVATE_KEY").gsub(/\\+n/, "\n")
+    @token_refresh_time = Time.unix(0)
+    @client = create_client
+  end
+
+  private def fetch_env_var(key : String) : String
+    ENV[key]? || raise "environment variable #{key} is not set"
+  end
+
+  private def client
+    if @client.nil? || token_expired?
+      @client = create_client
+    end
+    @client
+  end
+
+  private def jwt_token : String
+    private_key = OpenSSL::PKey::RSA.new(@app_key)
+    payload = {
+      "iat" => Time.utc.to_unix - 60,
+      "exp" => Time.utc.to_unix + JWT_EXPIRATION_TIME,
+      "iss" => @app_id,
+    }
+    JWT.encode(payload, private_key.to_pem, JWT::Algorithm::RS256)
+  end
+
+  private def create_client
+    tmp_client = Octokit.client(bearer_token: jwt_token)
+    response = tmp_client.create_app_installation_access_token(@installation_id, **{headers: {authorization: "Bearer #{tmp_client.bearer_token}"}})
+    access_token = JSON.parse(response)["token"].to_s
+
+    client = Octokit.client(access_token: access_token)
+    client.auto_paginate = true
+    client.per_page = 100
+    @token_refresh_time = Time.utc
+    client
+  end
+
+  private def token_expired? : Bool
+    Time.utc.to_unix - @token_refresh_time.to_unix > TOKEN_EXPIRATION_TIME
+  end
+
+  macro method_missing(call)
+    {% if call.block %}
+      client.{{call.name}}({{*call.args}}) do |{{call.block.args}}|
+        {{call.block.body}}
+      end
+    {% else %}
+      client.{{call.name}}({{*call.args}})
+    {% end %}
+  end
+
+  def respond_to_missing?(method_name : Symbol, include_private : Bool = false) : Bool
+    client.respond_to?(method_name) || super
+  end
+end

examples/github_app_authentication/main.cr

@@ -0,0 +1,5 @@
+require "./auth"
+
+github = GitHubAuthentication.login
+
+github.add_comment("<owner>/<repo>", 123, "some comment here")

script/acceptance

@@ -1,11 +1,6 @@
 #!/bin/bash
 
-# COLORS
-OFF='\033[0m'
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BLUE='\033[0;34m'
-PURPLE='\033[0;35m'
+source script/setup-env $@
 
 # set the working directory to the root of the project
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd .. && pwd )"

script/all

@@ -1,17 +1,9 @@
 #!/bin/bash
 
-# COLORS
-OFF='\033[0m'
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BLUE='\033[0;34m'
-PURPLE='\033[0;35m'
+source script/setup-env $@
 
 # runs all formatting scripts and tests at once
 
-# set the working directory to the root of the project
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd .. && pwd )"
-
 set -e
 
 script/format

script/bootstrap

@@ -2,23 +2,7 @@
 
 set -e
 
-# COLORS
-OFF='\033[0m'
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BLUE='\033[0;34m'
-PURPLE='\033[0;35m'
-YELLOW='\033[0;33m'
-
-# set the working directory to the root of the project
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd .. && pwd )"
-VENDOR_DIR="$DIR/vendor"
-SHARDS_CACHE_PATH="$VENDOR_DIR/.cache/shards"
-SHARDS_INSTALL_PATH="$VENDOR_DIR/shards/install"
-
-if [[ "$@" == *"--ci"* ]]; then
-  source script/ci-env
-fi
+source script/setup-env $@
 
 crystal_path_var="$(crystal env CRYSTAL_PATH)"
 # if the crystal_path_var does not contain 'vendor/shards/install' then we need to add it to the CRYSTAL_PATH
@@ -49,9 +33,9 @@ if [[ "$OSTYPE" == "linux-gnu"* ]]; then
 elif [[ "$OSTYPE" == "darwin"* ]]; then
   os="mac"
 
-  # if CRYSTAL_OPTS is not set to `--link-flags=-Wl,-ld_classic` then print a warning
-  if [[ -z "$CRYSTAL_OPTS" || "$CRYSTAL_OPTS" != "--link-flags=-Wl,-ld_classic" ]]; then
-    compatability_warning="⚠️ ${YELLOW}Warning${OFF}: crystal may have issues on macOS due to -> https://github.com/crystal-lang/crystal/issues/13846. If you have issues, please consider exporting the following env vars in your terminal -> https://github.com/GrantBirki/dotfiles/blob/d57db3e4167aa5ae7766c5e544f38ead111f040c/dotfiles/.bashrc#L199"
+  # if CRYSTAL_OPTS is not set to `--link-flags=-Wl` then print a warning
+  if [[ -z "$CRYSTAL_OPTS" || "$CRYSTAL_OPTS" != "--link-flags=-Wl" ]]; then
+    compatability_warning="⚠️ ${YELLOW}Warning${OFF}: please consider exporting the following env vars in your terminal -> https://github.com/GrantBirki/dotfiles/blob/42526c0004cd7562883e5019db8e462e8f307e6a/dotfiles/.bashrc#L201"
   fi
 
 elif [[ "$OSTYPE" == "cygwin" ]]; then
@@ -88,7 +72,7 @@ if [[ "$@" == *"--ci"* ]]; then
 fi
 
 # install the shards
-SHARDS_CACHE_PATH="$SHARDS_CACHE_PATH" SHARDS_INSTALL_PATH="$SHARDS_INSTALL_PATH" shards install --local --frozen $ci_flags $@
+shards install --local --frozen $ci_flags $@
 
 # shards install often wipes out our custom shards sha256 file so we need to recompute it if they are gone
 script/compute-dep-shas

script/build

@@ -2,18 +2,7 @@
 
 set -e
 
-# COLORS
-OFF='\033[0m'
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BLUE='\033[0;34m'
-PURPLE='\033[0;35m'
-
-# set the working directory to the root of the project
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd .. && pwd )"
-VENDOR_DIR="$DIR/vendor"
-SHARDS_CACHE_PATH="$VENDOR_DIR/.cache/shards"
-SHARDS_INSTALL_PATH="$VENDOR_DIR/shards/install"
+source script/setup-env $@
 
 if [[ "$CI" == "true" ]]; then
   source script/ci-env
@@ -27,5 +16,5 @@ if [[ "$@" == *"--production"* ]] || [[ "$CRYSTAL_ENV" == "production" ]]; then
 fi
 
 echo -e "🔨 ${BLUE}building in ${PURPLE}release${BLUE} mode${OFF}"
-SHARDS_CACHE_PATH="$SHARDS_CACHE_PATH" SHARDS_INSTALL_PATH="$SHARDS_INSTALL_PATH" shards build --production --release --progress --debug --error-trace
+shards build --production --release --progress --debug --error-trace
 echo -e "📦 ${GREEN}build complete${OFF}"

script/compute-dep-shas

@@ -1,20 +1,11 @@
 #!/bin/bash
 
-# set the working directory to the root of the project
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd .. && pwd )"
-VENDOR_DIR="$DIR/vendor"
-SHARDS_CACHE_PATH="$VENDOR_DIR/.cache/shards"
-SHARDS_INSTALL_PATH="$VENDOR_DIR/shards/install"
-SHARDS_CACHED="$VENDOR_DIR/shards/cache"
+source script/setup-env $@
 
-SHARD_SHA_FILE=".shard.vendor.cache.sha256"
-
-file="vendor/shards/install/.shards.info"
-
-if [ -f "$VENDOR_DIR/shards/install/.shards.info" ]; then
+if [ -f "$VENDOR_SHARDS_INFO_FILE" ]; then
 
   # Use yq to parse the file and extract shard names and versions
-  shards=$(yq eval '.shards | to_entries | .[] | "\(.key)|\(.value.git)|\(.value.version)"' $file)
+  shards=$(yq eval '.shards | to_entries | .[] | "\(.key)|\(.value.git)|\(.value.version)"' $VENDOR_SHARDS_INFO_FILE)
 
   # Loop over each shard
   echo "$shards" | while IFS= read -r shard; do

script/format

@@ -2,19 +2,7 @@
 
 set -e
 
-# COLORS
-OFF='\033[0m'
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BLUE='\033[0;34m'
-PURPLE='\033[0;35m'
-
-# set the working directory to the root of the project
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd .. && pwd )"
-
-if [[ "$CI" == "true" ]]; then
-  source script/ci-env
-fi
+source script/setup-env $@
 
 echo -e "🧹 ${BLUE}formatting ${PURPLE}crystal${BLUE} files...${OFF}"
 

script/lint

@@ -2,19 +2,7 @@
 
 set -e
 
-# COLORS
-OFF='\033[0m'
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BLUE='\033[0;34m'
-PURPLE='\033[0;35m'
-
-# set the working directory to the root of the project
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd .. && pwd )"
-
-if [[ "$CI" == "true" ]]; then
-  source script/ci-env
-fi
+source script/setup-env $@
 
 echo -e "🖌️  ${BLUE}linting ${PURPLE}crystal${BLUE} files..."
 

script/postinstall

@@ -1,17 +1,6 @@
 #!/bin/bash
 
-# set the working directory to the root of the project
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd .. && pwd )"
-VENDOR_DIR="$DIR/vendor"
-SHARDS_INSTALL_PATH="$VENDOR_DIR/shards/install"
-
-LINUX_VENDOR_DIR="$VENDOR_DIR/linux_x86_64/bin"
-DARWIN_VENDOR_DIR_X64="$VENDOR_DIR/darwin_x86_64/bin"
-DARWIN_VENDOR_DIR_ARM64="$VENDOR_DIR/darwin_arm64/bin"
-
-if [[ "$CI" == "true" ]]; then
-  source script/ci-env
-fi
+source script/setup-env $@
 
 mkdir -p "$DIR/bin"
 
@@ -55,7 +44,7 @@ if [[ ! "$@" == *"--production"* ]]; then
   # ensure the ameba binary is built and available in the bin directory
   AMEBA_UP_TO_DATE=false
   # first, check the version of the ameba binary in the lock file
-  AMEBA_VERSION=$(SHARDS_INSTALL_PATH="$SHARDS_INSTALL_PATH" shards list | grep ameba | awk '{print $3}' | tr -d '()')
+  AMEBA_VERSION=$(shards list | grep ameba | awk '{print $3}' | tr -d '()')
 
   # if the bin/ameba binary exists, check if it is the correct version
   if [ -f "$DIR/bin/ameba" ]; then

script/preinstall

@@ -2,7 +2,6 @@
 
 set -e
 
-# set the working directory to the root of the project
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd .. && pwd )"
+source script/setup-env $@
 
 mkdir -p "$DIR/bin"

script/server

@@ -2,7 +2,6 @@
 
 set -e
 
-# set the working directory to the root of the project
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd .. && pwd )"
+source script/setup-env $@
 
-SHARDS_CACHE_PATH="$DIR/.cache/shards" shards run --release --debug --error-trace
+shards run --release --debug --error-trace -- $@

script/setup-env

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+set -e
+
+export OFF='\033[0m'
+export RED='\033[0;31m'
+export GREEN='\033[0;32m'
+export BLUE='\033[0;34m'
+export PURPLE='\033[0;35m'
+
+# set the working directory to the root of the project
+export DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd .. && pwd )"
+
+export CRYSTAL_VERSION=$(cat "$DIR/.crystal-version")
+
+# set common variables
+export VENDOR_DIR="$DIR/vendor"
+export SHARDS_CACHE_PATH="$VENDOR_DIR/.cache/shards"
+export SHARDS_INSTALL_PATH="$VENDOR_DIR/shards/install"
+export SHARDS_CACHED="$VENDOR_DIR/shards/cache"
+export SHARD_SHA_FILE=".shard.vendor.cache.sha256"
+export VENDOR_SHARDS_INFO_FILE="vendor/shards/install/.shards.info"
+
+# common vendor dirs for binaries
+export LINUX_VENDOR_DIR="$VENDOR_DIR/linux_x86_64/bin"
+export DARWIN_VENDOR_DIR_X64="$VENDOR_DIR/darwin_x86_64/bin"
+export DARWIN_VENDOR_DIR_ARM64="$VENDOR_DIR/darwin_arm64/bin"
+
+# if --production was provided, always ensure CRYSTAL_ENV is set to production
+if [[ "$@" == *"--production"* ]]; then
+  export CRYSTAL_ENV="production"
+fi
+
+if [[ "$@" == *"--production"* ]] || [[ "$CRYSTAL_ENV" == "production" ]] || [[ "$CI" == "true" ]]; then
+  crystal_path_var="$(crystal env CRYSTAL_PATH)"
+
+  # if the crystal_path_var does not contain 'vendor/shards/install' then we need to add it to the CRYSTAL_PATH
+  if [[ "$crystal_path_var" != *"vendor/shards/install"* ]]; then
+    echo "setting CRYSTAL_PATH to include vendored shards - reason: --production flag passed or CRYSTAL_ENV is set to production or CI is true"
+    export CRYSTAL_PATH="vendor/shards/install:$(crystal env CRYSTAL_PATH)"
+  fi
+fi
+
+if [[ "$OSTYPE" == "darwin"* && "$CI" == "true" ]]; then
+  # only set the CRYSTAL_OPTS if it is not set or if it does not contain "-Wl"
+  if [[ -z "$CRYSTAL_OPTS" || "$CRYSTAL_OPTS" != *"-Wl"* ]]; then
+    echo "setting custom macos CRYSTAL_OPTS for CI"
+    export CRYSTAL_OPTS="--link-flags=-Wl"
+  fi
+fi