Github
GitHub App Authentication Documentation
1. Register a GitHub App
To create a GitHub app, follow the instructions provided by GitHub:
- Visit: Registering a GitHub App
- Procedure:
- Fill in the necessary details for your app.
- Note the
App IDprovided after registration. - At the bottom of the registration page, click on
Generate a private key. Download and securely store this key.
2. Store the Private Key
After generating your private key, you need to store it securely. If you are using Kubernetes, you can store it as a secret:
kubectl create secret generic github-app-pem --from-file=key=path/to/your/private-key.pem
3. Set Permissions for the GitHub App
Configure the necessary permissions for your GitHub app depending on what actions it needs to perform:
- Visit: Choosing Permissions for a GitHub App
- Example:
- For managing OCI images, set read and write permissions for packages.
4. Install Your GitHub App
Install the GitHub app on your repository or organization to start using it:
5. Obtain an Installation ID
After installation, you need to get the installation ID to authenticate API requests:
- Visit: Generating an Installation Access Token for a GitHub App
- Procedure:
- Find the installation ID from the URL or API response.
Example Kubernetes Manifest for GitHub Access Token Generator
# 1. Register Github app https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app#registering-a-github-app
# `App ID: 123456` will be displayed after you create an app. Next on the bottom of the page, you'll find `Generate a private key` button.
# 2. Get privateKey https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps#generating-private-keys put it in e.g `github-app-pem` k8s secret
# 3. Set permissions for the app, e.g if you want to push OCI images to ghr set RW for packages https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/choosing-permissions-for-a-github-app#choosing-permissions-for-rest-api-access
# 4. Install your Github app https://docs.github.com/en/apps/using-github-apps/installing-your-own-github-app
# 5. Get `installID` https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app#generating-an-installation-access-token (2)
---
apiVersion: generators.external-secrets.io/v1alpha1
kind: GithubAccessToken
metadata:
name: github-auth-token
spec:
appID: "0000000" # (1)
installID: "00000000" # (5)
url: "" # (Default https://api.github.com.)
auth:
privateKey:
secretRef:
name: github-app-pem # (2)
key: key
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: github-auth-token
spec:
refreshInterval: "30m"
target:
name: github-auth-token # Name for the secret to be created on the cluster
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: GithubAccessToken
name: github-auth-token
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: github-auth-template
spec:
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: GithubAccessToken
name: github-auth-token
refreshInterval: "15m"
target:
template:
metadata:
annotations:
tekton.dev/git-0: "https://github.com"
type: kubernetes.io/basic-auth
engineVersion: v2
data:
username: "token"
password: "{{ .token }}"
name: github-auth-template
Notes
- Ensure that all sensitive data such as private keys and IDs are securely handled and stored.
- Adjust the permissions and configurations according to your specific requirements and security policies.