Feat/app token refresh #2695
Open
Feat/app token refresh #2695
+202
−3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ations#977) This commit addresses issue integrations#977 by introducing an automatic token refresh mechanism for GitHub App-based authentication. When using short-lived GitHub App tokens (JWT + installation token), the provider now refreshes the token transparently before expiry, avoiding auth failures during long-lived Terraform runs or plan/apply cycles. Key enhancements: - Added `NewRefreshingTokenSource()` to wrap token acquisition and refresh. - Refactored `Config.AuthenticatedHTTPClient()` to detect GitHub App env vars (`GITHUB_APP_ID`, `GITHUB_APP_INSTALLATION_ID`, `GITHUB_APP_PEM` or `GITHUB_APP_PEM_FILE`) and enable refreshable OAuth2 token source. - Fallbacks gracefully to using a Personal Access Token (PAT) when `GITHUB_TOKEN` is set. - Environment-based discovery of GitHub App credentials avoids Terraform schema changes. - Added unit tests covering: - Refreshing logic (initial, expired, and error conditions) - Config behavior (anonymous and authenticated client behavior) - Error cases for missing App ID, installation ID, or PEM - No change to existing configuration schema or behavior for current users using PAT-based authentication. This upgrade enables more resilient GitHub App usage and prepares the provider for robust automation scenarios.
…ations#977) This commit addresses issue integrations#977 by introducing an automatic token refresh mechanism for GitHub App-based authentication. When using short-lived GitHub App tokens (JWT + installation token), the provider now refreshes the token transparently before expiry, avoiding auth failures during long-lived Terraform runs or plan/apply cycles. Key enhancements: - Added `NewRefreshingTokenSource()` to wrap token acquisition and refresh. - Refactored `Config.AuthenticatedHTTPClient()` to detect GitHub App env vars (`GITHUB_APP_ID`, `GITHUB_APP_INSTALLATION_ID`, `GITHUB_APP_PEM` or `GITHUB_APP_PEM_FILE`) and enable refreshable OAuth2 token source. - Fallbacks gracefully to using a Personal Access Token (PAT) when `GITHUB_TOKEN` is set. - Environment-based discovery of GitHub App credentials avoids Terraform schema changes. - Added unit tests covering: - Refreshing logic (initial, expired, and error conditions) - Config behavior (anonymous and authenticated client behavior) - Error cases for missing App ID, installation ID, or PEM - No change to existing configuration schema or behavior for current users using PAT-based authentication. This upgrade enables more resilient GitHub App usage and prepares the provider for robust automation scenarios.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves #977
Before the change?
After the change?
Pull request checklist
Does this introduce a breaking change?
Please see our docs on breaking changes to help!