github-authentication 1.2.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fc7a5e8c75f0a6c1eff271d772031e5d18850dd6bb7d2387908d5186558e1396
-  data.tar.gz: fdd8a299c44fa0d0a4336af31d0568ab0b6f9d71111fa0fa3a3157b04a9356c7
+  metadata.gz: 516354d28c957aa1fe159319fe2c6ae1db1dbc50e3493a14b364f6c08526fc5a
+  data.tar.gz: 77810176f1496cef5171bbc279e0545d3a8624b268ef07f27a0ab3468a833d8f
 SHA512:
-  metadata.gz: cef00e4c97906f4e6a988ec830ed5462a3f146365b2abebdd0284fee99e243c5ca5db618642eb7fffb004d24080fce2294a2875043fbe947d01c70a751177466
-  data.tar.gz: 4fe79c4825cb493039a315aaeda5f982616bee4b411909d931ef7e20938a55b5b0f1b5ea99781b02e2c1f17cba6ae4af950659a73e8b2661f15fc087a0c459f5
+  metadata.gz: 4bfaf85cdcb8a3c4c98369cea4ddb1bbea55a9ce1b4099529dbc898b2da80d158d8b82fc456088ad49575b4fe7c5183c3969fb5fbc40ad734e01a23af9f0ea6e
+  data.tar.gz: 87be1a5c672e5a02f55bb2665464e9df08efe1d1c79af56d2f0ef3d230229552af4770f0576a3ff9f3732a16de0e84be4b74b7c048212a72df66c00872f3a2ee

data/.github/workflows/tests.yml

@@ -26,7 +26,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby: [ '2.7', '3.0', '3.1', '3.2', '3.3' ]
+        ruby: [ '3.2', '3.3', '3.4', '3.5', '4.0' ]
     steps:
       - uses: actions/checkout@v4
 

data/.ruby-version

@@ -1 +1 @@
-3.3.0
+4.0.1

data/CHANGELOG.md

@@ -2,5 +2,10 @@
 
 ...
 
+### 1.3.0
+- Add `GithubAuthentication.provider(org:, env:)` as a high-level entrypoint for Ruby code that needs GitHub App tokens without manually wiring up Environment, Generator, Cache, and Provider
+- Simplify `GitCredentialHelper` to accept a `provider` directly
+- Update test runners to test against more recent Ruby versions
+
 ### 1.2.0
 - Support multi-org credentials (https://github.com/Shopify/github-authentication/pull/34)

data/Gemfile.lock

@@ -1,76 +1,87 @@
 PATH
   remote: .
   specs:
-    github-authentication (1.2.0)
+    github-authentication (1.3.0)
       jwt (~> 2.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.1.2)
+    activesupport (8.1.2)
       base64
       bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      json
+      logger (>= 1.4.2)
       minitest (>= 5.1)
-      mutex_m
-      tzinfo (~> 2.0)
-    addressable (2.8.5)
-      public_suffix (>= 2.0.2, < 6.0)
-    ast (2.4.2)
-    base64 (0.2.0)
-    bigdecimal (3.1.4)
-    concurrent-ruby (1.2.2)
-    connection_pool (2.4.1)
-    crack (0.4.5)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
+    addressable (2.8.8)
+      public_suffix (>= 2.0.2, < 8.0)
+    ast (2.4.3)
+    base64 (0.3.0)
+    bigdecimal (4.0.1)
+    concurrent-ruby (1.3.6)
+    connection_pool (3.0.2)
+    crack (1.0.1)
+      bigdecimal
       rexml
-    drb (2.2.0)
-      ruby2_keywords
-    hashdiff (1.0.1)
-    i18n (1.14.1)
+    drb (2.2.3)
+    hashdiff (1.2.1)
+    i18n (1.14.8)
       concurrent-ruby (~> 1.0)
-    json (2.7.1)
-    jwt (2.7.1)
-    language_server-protocol (3.17.0.3)
-    minitest (5.20.0)
-    mocha (2.1.0)
+    json (2.18.1)
+    jwt (2.10.2)
+      base64
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    logger (1.7.0)
+    minitest (5.27.0)
+    mocha (2.8.2)
       ruby2_keywords (>= 0.0.5)
-    mutex_m (0.2.0)
-    parallel (1.24.0)
-    parser (3.3.0.5)
+    parallel (1.27.0)
+    parser (3.3.10.1)
       ast (~> 2.4.1)
       racc
-    public_suffix (5.0.4)
-    racc (1.7.3)
+    prism (1.9.0)
+    public_suffix (7.0.2)
+    racc (1.8.1)
     rainbow (3.1.1)
-    rake (13.1.0)
-    regexp_parser (2.9.0)
-    rexml (3.2.6)
-    rubocop (1.62.1)
+    rake (13.3.1)
+    regexp_parser (2.11.3)
+    rexml (3.4.4)
+    rubocop (1.84.2)
       json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.31.2)
-      parser (>= 3.3.0.4)
-    rubocop-shopify (2.14.0)
-      rubocop (~> 1.51)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.49.0)
+      parser (>= 3.3.7.2)
+      prism (~> 1.7)
+    rubocop-shopify (2.18.0)
+      rubocop (~> 1.62)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
-    timecop (0.9.8)
+    securerandom (0.4.1)
+    timecop (0.9.10)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.5.0)
-    vcr (6.2.0)
-    webmock (3.19.1)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
+    uri (1.1.1)
+    vcr (6.4.0)
+    webmock (3.26.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -79,6 +90,7 @@ PLATFORMS
   arm64-darwin-21
   arm64-darwin-22
   arm64-darwin-23
+  arm64-darwin-24
   x86_64-linux
 
 DEPENDENCIES

data/README.md

@@ -22,32 +22,43 @@ Or install it yourself as:
 
 ## Usage
 
+The simplest way to get a GitHub App token is via `GithubAuthentication.provider`, which reads credentials from environment variables, handles JWT generation, token exchange, and caching:
+
 ```ruby
 require 'github-authentication'
 
-cache = GithubAuthentication::Cache.new(storage: GithubAuthentication::ObjectCache.new)
-generator = GithubAuthentication::Generator::App.new(pem: ENV['GITHUB_PEM'],
-                                          installation_id: ENV['GITHUB_INSTALLATION_ID'],
-                                          app_id: ENV['GITHUB_APP_ID'])
-provider = GithubAuthentication::Provider.new(generator: generator, cache: cache)
-
-provider.token
-provider.reset_token
+provider = GithubAuthentication.provider(org: "myorg")
+provider.token # => returns a cached or freshly generated token
 ```
 
-### Cache
+This expects the following environment variables to be set (optionally prefixed with the org name):
 
-The cache takes a storage argument. You can pass an instance of an `ActiveSupport::Cache` implementation or use the provided 
-`GithubAuthentication::ObjectCache` if you are using it in a script.
+- `GITHUB_APP_ID` (or `MYORG_GITHUB_APP_ID`)
+- `GITHUB_APP_INSTALLATION_ID` (or `MYORG_GITHUB_APP_INSTALLATION_ID`)
+- `GITHUB_APP_KEYFILE` (or `MYORG_GITHUB_APP_KEYFILE`)
 
-### Generator::App
+If `GITHUB_APP_CREDENTIAL_STORAGE_PATH` is set, tokens are cached to disk via `ActiveSupport::Cache::FileStore`. Otherwise an in-memory cache is used.
 
-Generates a token for a GitHub app.
+### Using with Octokit
 
 ```ruby
-GithubAuthentication::Generator::App.new(pem: ENV['GITHUB_PEM'],
+provider = GithubAuthentication.provider(org: "myorg")
+client = Octokit::Client.new(access_token: provider.token.to_s)
+```
+
+### Building a provider manually
+
+If you need more control over the cache or generator, you can wire up the components yourself:
+
+```ruby
+cache = GithubAuthentication::Cache.new(storage: GithubAuthentication::ObjectCache.new)
+generator = GithubAuthentication::Generator::App.new(pem: ENV['GITHUB_PEM'],
                                           installation_id: ENV['GITHUB_INSTALLATION_ID'],
                                           app_id: ENV['GITHUB_APP_ID'])
+provider = GithubAuthentication::Provider.new(generator: generator, cache: cache)
+
+provider.token
+provider.reset_token
 ```
 
 ### Generator::Personal
@@ -57,45 +68,6 @@ Mostly for testing purposes you can provide a github token that gets retrieved.
 GithubAuthentication::Generator::Personal.new(github_token: ENV['GITHUB_TOKEN'])
 ```
 
-## Example
-
-```ruby
-
-require "base64"
-
-module GitHub
-  APP_ID = "<APP_ID>"
-  INSTALLATION_ID = "<INSTALLATION_ID>"
-
-  class << self
-    def token
-      @token_provider ||= begin
-        if ENV['GITHUB_TOKEN']
-          storage = GithubAuthentication::ObjectCache.new
-          generator = GithubAuthentication::Generator::Personal.new(github_token: ENV['GITHUB_TOKEN'])
-        else
-          storage = ActiveSupport::Cache::RedisCacheStore.new
-          pem = Base64.decode64(ENV['GITHUB_PEM'])
-          generator = GithubAuthentication::Generator::App.new(pem: pem, installation_id: INSTALLATION_ID,
-                                                                 app_id: APP_ID)
-        end
-        cache = GithubAuthentication::Cache.new(storage: storage)
-        GithubAuthentication::Provider.new(generator: generator, cache: cache)
-      end
-      @token_provider.token
-    end
-
-    def client
-      if ENV['GITHUB_TOKEN']
-        Octokit::Client.new(access_token: token.to_s)
-      else
-        Octokit::Client.new(bearer_token: token.to_s)
-      end
-    end
-  end
-end
-```
-
 ## Git credential helper
 
 This gem also ships with a [git credential helper][0] to authenticate git

data/exe/git-credential-github-app

@@ -16,13 +16,10 @@ case ARGV[0]
 when "get"
   description = $stdin.each_line.map { |line| line.split("=", 2).map(&:strip) }.to_h
   org = description.fetch("path", "").split("/").first
-  environment = GithubAuthentication::Environment.new(org: org)
+  provider = GithubAuthentication.provider(org: org)
 
   exit_status = GithubAuthentication::GitCredentialHelper.new(
-    pem: environment.pem,
-    app_id: environment.app_id,
-    installation_id: environment.installation_id,
-    storage: environment.storage,
+    provider: provider,
     description: description,
   ).handle_get
   exit(exit_status)

data/lib/github_authentication/git_credential_helper.rb

@@ -2,12 +2,9 @@
 
 module GithubAuthentication
   class GitCredentialHelper
-    def initialize(pem:, installation_id:, app_id:, description:, storage: nil)
-      @pem = pem
-      @installation_id = installation_id
-      @app_id = app_id
+    def initialize(provider:, description:)
+      @provider = provider
       @description = description
-      @storage = storage
     end
 
     def handle_get
@@ -16,7 +13,7 @@ module GithubAuthentication
         return 2
       end
 
-      token = provider.token(seconds_ttl: min_cache_ttl)
+      token = @provider.token(seconds_ttl: min_cache_ttl)
       puts("password=#{token}")
       puts("username=api")
 
@@ -29,20 +26,5 @@ module GithubAuthentication
       # Tokens are valid for 60 minutes, allow a 10 minute buffer
       10 * 60
     end
-
-    def provider
-      @provider ||= Provider.new(
-        generator: generator,
-        cache: Cache.new(storage: @storage || ObjectCache.new),
-      )
-    end
-
-    def generator
-      @generator ||= Generator::App.new(
-        pem: @pem,
-        app_id: @app_id,
-        installation_id: @installation_id,
-      )
-    end
   end
 end

data/lib/github_authentication/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module GithubAuthentication
-  VERSION = "1.2.0"
+  VERSION = "1.3.0"
 end

data/lib/github_authentication.rb

@@ -9,4 +9,21 @@ require "github_authentication/object_cache"
 require "github_authentication/git_credential_helper"
 
 module GithubAuthentication
+  class << self
+    def provider(org:, env: ENV)
+      ga_env = Environment.new(org: org, env: env)
+      generator = Generator::App.new(
+        pem: ga_env.pem,
+        installation_id: ga_env.installation_id,
+        app_id: ga_env.app_id,
+      )
+      storage = begin
+        ga_env.storage
+      rescue KeyError
+        ObjectCache.new
+      end
+      cache = Cache.new(storage: storage, key: org)
+      Provider.new(generator: generator, cache: cache)
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: github-authentication
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Frederik Dudzik
@@ -195,7 +195,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.7.1
+rubygems_version: 4.0.6
 specification_version: 4
 summary: GitHub Authetication
 test_files: []