github-authentication 1.1.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 232b7d332cfdf5a3b6ec3e6854b13203dcc204c4f242d730ea2a8510bb25164a
-  data.tar.gz: 8715cff617884f40643eb2569704bca0ad3ce306277d0298806e550889d63b3f
+  metadata.gz: 516354d28c957aa1fe159319fe2c6ae1db1dbc50e3493a14b364f6c08526fc5a
+  data.tar.gz: 77810176f1496cef5171bbc279e0545d3a8624b268ef07f27a0ab3468a833d8f
 SHA512:
-  metadata.gz: ab1d75961e37a620932f1cefe273c00bd95e96332368a13268b868114649d1d8b96c4133770adb898c4a2c1a3502d7c16fab3e840671cc7f90064d89ce6835c1
-  data.tar.gz: 8ab8c0af8067b378f0a981173ff3e5ea53728c65cf6264a8ebeecd6fe8c30d75b739d89ec9aed893c292950bdc414ac2be46fe065eac48c722dbbbce98329f36
+  metadata.gz: 4bfaf85cdcb8a3c4c98369cea4ddb1bbea55a9ce1b4099529dbc898b2da80d158d8b82fc456088ad49575b4fe7c5183c3969fb5fbc40ad734e01a23af9f0ea6e
+  data.tar.gz: 87be1a5c672e5a02f55bb2665464e9df08efe1d1c79af56d2f0ef3d230229552af4770f0576a3ff9f3732a16de0e84be4b74b7c048212a72df66c00872f3a2ee

data/.github/workflows/tests.yml

@@ -14,7 +14,6 @@ jobs:
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '2.7'
           bundler-cache: true
 
       - name: Lint Ruby
@@ -27,7 +26,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby: [ '2.7', '3.0', '3.1', '3.2' ]
+        ruby: [ '3.2', '3.3', '3.4', '3.5', '4.0' ]
     steps:
       - uses: actions/checkout@v4
 
@@ -41,6 +40,7 @@ jobs:
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
+          bundler: latest
 
       - name: Run Ruby tests
         run: |

data/.rubocop.yml

@@ -2,7 +2,6 @@ inherit_gem:
   rubocop-shopify: rubocop.yml
 
 AllCops:
-  TargetRubyVersion: 2.7
   CacheRootDirectory: tmp/rubocop-cache
   UseCache: true
 

data/.ruby-version

@@ -0,0 +1 @@
+4.0.1

data/CHANGELOG.md

@@ -0,0 +1,11 @@
+### Next
+
+...
+
+### 1.3.0
+- Add `GithubAuthentication.provider(org:, env:)` as a high-level entrypoint for Ruby code that needs GitHub App tokens without manually wiring up Environment, Generator, Cache, and Provider
+- Simplify `GitCredentialHelper` to accept a `provider` directly
+- Update test runners to test against more recent Ruby versions
+
+### 1.2.0
+- Support multi-org credentials (https://github.com/Shopify/github-authentication/pull/34)

data/Gemfile.lock

@@ -1,82 +1,96 @@
 PATH
   remote: .
   specs:
-    github-authentication (1.1.0)
+    github-authentication (1.3.0)
       jwt (~> 2.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.1.2)
+    activesupport (8.1.2)
       base64
       bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      json
+      logger (>= 1.4.2)
       minitest (>= 5.1)
-      mutex_m
-      tzinfo (~> 2.0)
-    addressable (2.8.5)
-      public_suffix (>= 2.0.2, < 6.0)
-    ast (2.4.2)
-    base64 (0.2.0)
-    bigdecimal (3.1.4)
-    concurrent-ruby (1.2.2)
-    connection_pool (2.4.1)
-    crack (0.4.5)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
+    addressable (2.8.8)
+      public_suffix (>= 2.0.2, < 8.0)
+    ast (2.4.3)
+    base64 (0.3.0)
+    bigdecimal (4.0.1)
+    concurrent-ruby (1.3.6)
+    connection_pool (3.0.2)
+    crack (1.0.1)
+      bigdecimal
       rexml
-    drb (2.2.0)
-      ruby2_keywords
-    hashdiff (1.0.1)
-    i18n (1.14.1)
+    drb (2.2.3)
+    hashdiff (1.2.1)
+    i18n (1.14.8)
       concurrent-ruby (~> 1.0)
-    json (2.6.3)
-    jwt (2.7.1)
-    language_server-protocol (3.17.0.3)
-    minitest (5.20.0)
-    mocha (2.1.0)
+    json (2.18.1)
+    jwt (2.10.2)
+      base64
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    logger (1.7.0)
+    minitest (5.27.0)
+    mocha (2.8.2)
       ruby2_keywords (>= 0.0.5)
-    mutex_m (0.2.0)
-    parallel (1.23.0)
-    parser (3.2.2.4)
+    parallel (1.27.0)
+    parser (3.3.10.1)
       ast (~> 2.4.1)
       racc
-    public_suffix (5.0.4)
-    racc (1.7.3)
+    prism (1.9.0)
+    public_suffix (7.0.2)
+    racc (1.8.1)
     rainbow (3.1.1)
-    rake (13.1.0)
-    regexp_parser (2.8.2)
-    rexml (3.2.6)
-    rubocop (1.57.2)
+    rake (13.3.1)
+    regexp_parser (2.11.3)
+    rexml (3.4.4)
+    rubocop (1.84.2)
       json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
-      parser (>= 3.2.2.4)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.28.1, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.30.0)
-      parser (>= 3.2.1.0)
-    rubocop-shopify (2.14.0)
-      rubocop (~> 1.51)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.49.0)
+      parser (>= 3.3.7.2)
+      prism (~> 1.7)
+    rubocop-shopify (2.18.0)
+      rubocop (~> 1.62)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
-    timecop (0.9.8)
+    securerandom (0.4.1)
+    timecop (0.9.10)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.5.0)
-    vcr (6.2.0)
-    webmock (3.19.1)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
+    uri (1.1.1)
+    vcr (6.4.0)
+    webmock (3.26.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
 
 PLATFORMS
+  arm64-darwin-21
   arm64-darwin-22
+  arm64-darwin-23
+  arm64-darwin-24
   x86_64-linux
 
 DEPENDENCIES
@@ -91,4 +105,4 @@ DEPENDENCIES
   webmock (~> 3.8)
 
 BUNDLED WITH
-   2.4.21
+   2.3.8

data/README.md

@@ -22,32 +22,43 @@ Or install it yourself as:
 
 ## Usage
 
+The simplest way to get a GitHub App token is via `GithubAuthentication.provider`, which reads credentials from environment variables, handles JWT generation, token exchange, and caching:
+
 ```ruby
 require 'github-authentication'
 
-cache = GithubAuthentication::Cache.new(storage: GithubAuthentication::ObjectCache.new)
-generator = GithubAuthentication::Generator::App.new(pem: ENV['GITHUB_PEM'],
-                                          installation_id: ENV['GITHUB_INSTALLATION_ID'],
-                                          app_id: ENV['GITHUB_APP_ID'])
-provider = GithubAuthentication::Provider.new(generator: generator, cache: cache)
-
-provider.token
-provider.reset_token
+provider = GithubAuthentication.provider(org: "myorg")
+provider.token # => returns a cached or freshly generated token
 ```
 
-### Cache
+This expects the following environment variables to be set (optionally prefixed with the org name):
 
-The cache takes a storage argument. You can pass an instance of an `ActiveSupport::Cache` implementation or use the provided 
-`GithubAuthentication::ObjectCache` if you are using it in a script.
+- `GITHUB_APP_ID` (or `MYORG_GITHUB_APP_ID`)
+- `GITHUB_APP_INSTALLATION_ID` (or `MYORG_GITHUB_APP_INSTALLATION_ID`)
+- `GITHUB_APP_KEYFILE` (or `MYORG_GITHUB_APP_KEYFILE`)
 
-### Generator::App
+If `GITHUB_APP_CREDENTIAL_STORAGE_PATH` is set, tokens are cached to disk via `ActiveSupport::Cache::FileStore`. Otherwise an in-memory cache is used.
 
-Generates a token for a GitHub app.
+### Using with Octokit
 
 ```ruby
-GithubAuthentication::Generator::App.new(pem: ENV['GITHUB_PEM'],
+provider = GithubAuthentication.provider(org: "myorg")
+client = Octokit::Client.new(access_token: provider.token.to_s)
+```
+
+### Building a provider manually
+
+If you need more control over the cache or generator, you can wire up the components yourself:
+
+```ruby
+cache = GithubAuthentication::Cache.new(storage: GithubAuthentication::ObjectCache.new)
+generator = GithubAuthentication::Generator::App.new(pem: ENV['GITHUB_PEM'],
                                           installation_id: ENV['GITHUB_INSTALLATION_ID'],
                                           app_id: ENV['GITHUB_APP_ID'])
+provider = GithubAuthentication::Provider.new(generator: generator, cache: cache)
+
+provider.token
+provider.reset_token
 ```
 
 ### Generator::Personal
@@ -57,45 +68,6 @@ Mostly for testing purposes you can provide a github token that gets retrieved.
 GithubAuthentication::Generator::Personal.new(github_token: ENV['GITHUB_TOKEN'])
 ```
 
-## Example
-
-```ruby
-
-require "base64"
-
-module GitHub
-  APP_ID = "<APP_ID>"
-  INSTALLATION_ID = "<INSTALLATION_ID>"
-
-  class << self
-    def token
-      @token_provider ||= begin
-        if ENV['GITHUB_TOKEN']
-          storage = GithubAuthentication::ObjectCache.new
-          generator = GithubAuthentication::Generator::Personal.new(github_token: ENV['GITHUB_TOKEN'])
-        else
-          storage = ActiveSupport::Cache::RedisCacheStore.new
-          pem = Base64.decode64(ENV['GITHUB_PEM'])
-          generator = GithubAuthentication::Generator::App.new(pem: pem, installation_id: INSTALLATION_ID,
-                                                                 app_id: APP_ID)
-        end
-        cache = GithubAuthentication::Cache.new(storage: storage)
-        GithubAuthentication::Provider.new(generator: generator, cache: cache)
-      end
-      @token_provider.token
-    end
-
-    def client
-      if ENV['GITHUB_TOKEN']
-        Octokit::Client.new(access_token: token.to_s)
-      else
-        Octokit::Client.new(bearer_token: token.to_s)
-      end
-    end
-  end
-end
-```
-
 ## Git credential helper
 
 This gem also ships with a [git credential helper][0] to authenticate git

data/exe/git-credential-github-app

@@ -14,11 +14,13 @@ end
 
 case ARGV[0]
 when "get"
+  description = $stdin.each_line.map { |line| line.split("=", 2).map(&:strip) }.to_h
+  org = description.fetch("path", "").split("/").first
+  provider = GithubAuthentication.provider(org: org)
+
   exit_status = GithubAuthentication::GitCredentialHelper.new(
-    pem: File.read(ENV.fetch("GITHUB_APP_KEYFILE")),
-    app_id: ENV.fetch("GITHUB_APP_ID"),
-    installation_id: ENV.fetch("GITHUB_APP_INSTALLATION_ID"),
-    storage: ActiveSupport::Cache::FileStore.new(ENV.fetch("GITHUB_APP_CREDENTIAL_STORAGE_PATH")),
+    provider: provider,
+    description: description,
   ).handle_get
   exit(exit_status)
 when "store"

data/github-authentication.gemspec

@@ -37,6 +37,8 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency("jwt", "~> 2.2")
 
+  spec.required_ruby_version = ">= 2.7.0"
+
   spec.add_development_dependency("activesupport")
   spec.add_development_dependency("minitest", "~> 5.0")
   spec.add_development_dependency("mocha", "~> 2")

data/lib/github_authentication/environment.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/object/blank.rb"
+
+module GithubAuthentication
+  class Environment
+    def initialize(org:, env: ENV)
+      @org = org.presence
+      @env = env
+    end
+
+    def pem
+      File.read(resolve("GITHUB_APP_KEYFILE"))
+    end
+
+    def app_id
+      resolve("GITHUB_APP_ID")
+    end
+
+    def installation_id
+      resolve("GITHUB_APP_INSTALLATION_ID")
+    end
+
+    def storage
+      ActiveSupport::Cache::FileStore.new(resolve("GITHUB_APP_CREDENTIAL_STORAGE_PATH"))
+    end
+
+    private
+
+    def resolve(suffix)
+      if @org
+        @env["#{@org.upcase}_#{suffix}"] || @env.fetch(suffix)
+      else
+        @env.fetch(suffix)
+      end
+    end
+  end
+end

data/lib/github_authentication/git_credential_helper.rb

@@ -2,23 +2,18 @@
 
 module GithubAuthentication
   class GitCredentialHelper
-    def initialize(pem:, installation_id:, app_id:, storage: nil, stdin: $stdin)
-      @pem = pem
-      @installation_id = installation_id
-      @app_id = app_id
-      @storage = storage
-      @stdin = stdin
+    def initialize(provider:, description:)
+      @provider = provider
+      @description = description
     end
 
     def handle_get
-      description = parse_stdin
-
-      unless description["protocol"] == "https" && description["host"] == "github.com"
-        warn("Unsupported description: #{description}")
+      unless @description["protocol"] == "https" && @description["host"] == "github.com"
+        warn("Unsupported description: #{@description}")
         return 2
       end
 
-      token = provider.token(seconds_ttl: min_cache_ttl)
+      token = @provider.token(seconds_ttl: min_cache_ttl)
       puts("password=#{token}")
       puts("username=api")
 
@@ -31,26 +26,5 @@ module GithubAuthentication
       # Tokens are valid for 60 minutes, allow a 10 minute buffer
       10 * 60
     end
-
-    def parse_stdin
-      # Credential description is written to STDIN in line delimited key=value form,
-      # see https://git-scm.com/docs/git-credential#IOFMT
-      @stdin.each_line.map { |line| line.split("=", 2).map(&:strip) }.to_h
-    end
-
-    def provider
-      @provider ||= Provider.new(
-        generator: generator,
-        cache: Cache.new(storage: @storage || ObjectCache.new),
-      )
-    end
-
-    def generator
-      @generator ||= Generator::App.new(
-        pem: @pem,
-        app_id: @app_id,
-        installation_id: @installation_id,
-      )
-    end
   end
 end

data/lib/github_authentication/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module GithubAuthentication
-  VERSION = "1.1.0"
+  VERSION = "1.3.0"
 end

data/lib/github_authentication.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "github_authentication/version"
+require "github_authentication/environment"
 require "github_authentication/generator"
 require "github_authentication/provider"
 require "github_authentication/cache"
@@ -8,4 +9,21 @@ require "github_authentication/object_cache"
 require "github_authentication/git_credential_helper"
 
 module GithubAuthentication
+  class << self
+    def provider(org:, env: ENV)
+      ga_env = Environment.new(org: org, env: env)
+      generator = Generator::App.new(
+        pem: ga_env.pem,
+        installation_id: ga_env.installation_id,
+        app_id: ga_env.app_id,
+      )
+      storage = begin
+        ga_env.storage
+      rescue KeyError
+        ObjectCache.new
+      end
+      cache = Cache.new(storage: storage, key: org)
+      Provider.new(generator: generator, cache: cache)
+    end
+  end
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: github-authentication
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Frederik Dudzik
-autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-11-20 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -147,6 +146,8 @@ files:
 - ".github/workflows/tests.yml"
 - ".gitignore"
 - ".rubocop.yml"
+- ".ruby-version"
+- CHANGELOG.md
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -162,6 +163,7 @@ files:
 - lib/github-authentication.rb
 - lib/github_authentication.rb
 - lib/github_authentication/cache.rb
+- lib/github_authentication/environment.rb
 - lib/github_authentication/generator.rb
 - lib/github_authentication/generator/app.rb
 - lib/github_authentication/generator/personal.rb
@@ -179,7 +181,6 @@ metadata:
   homepage_uri: https://github.com/Shopify/github-authentication
   source_code_uri: https://github.com/Shopify/github-authentication
   allowed_push_host: https://rubygems.org
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -187,15 +188,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.21
-signing_key: 
+rubygems_version: 4.0.6
 specification_version: 4
 summary: GitHub Authetication
 test_files: []