lex-github 0.3.3 → 0.3.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/CLAUDE.md +50 -17
- data/lib/legion/extensions/github/helpers/client.rb +18 -0
- data/lib/legion/extensions/github/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 61ef9dc50273e5c0700962c3864a8d3ae24276621ed29215d35551f52fb4573d
|
|
4
|
+
data.tar.gz: b5a4de4b921f743c86320e2c95c99c2773ebcf56b02df788cf2a62323929ae87
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c06065ce5d893b0a4008c7195155669985c3e44cb4b4eb8817c74e2faa99912fdbadb0a8b74fb49be445e95696293e750f0f945ab05576b08cc5d02ebaa645a9
|
|
7
|
+
data.tar.gz: f3d6915a975c4b35c669b3cf0aaf0d9e443a6333136e019df460638574a7f58362904560cc6c366093a4c797ee2518d2c62f742fd9e2a339a5c194bd06c4b11d
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,12 @@
|
|
|
2
2
|
|
|
3
3
|
## [Unreleased]
|
|
4
4
|
|
|
5
|
+
## [0.3.4] - 2026-04-06
|
|
6
|
+
|
|
7
|
+
### Added
|
|
8
|
+
- `resolve_broker_app` to `CREDENTIAL_RESOLVERS` for Broker integration (Phase 8 Wave 3)
|
|
9
|
+
- Stable `installation_id` fingerprint for consistent credential caching across GitHub App installations
|
|
10
|
+
|
|
5
11
|
## [0.3.3] - 2026-03-31
|
|
6
12
|
|
|
7
13
|
### Fixed
|
data/CLAUDE.md
CHANGED
|
@@ -6,11 +6,11 @@
|
|
|
6
6
|
|
|
7
7
|
## Purpose
|
|
8
8
|
|
|
9
|
-
Legion Extension that connects LegionIO to GitHub. Provides runners for interacting with the GitHub REST API covering repositories, issues, pull requests, users, organizations, gists, search, labels, comments, commits, branches, file contents, GitHub App authentication, OAuth delegated auth, and
|
|
9
|
+
Legion Extension that connects LegionIO to GitHub. Provides runners for interacting with the GitHub REST API covering repositories, issues, pull requests, users, organizations, gists, search, labels, comments, commits, branches, file contents, Actions workflows, checks, releases, deployments, repository webhooks, GitHub App authentication, OAuth delegated auth, and credential storage.
|
|
10
10
|
|
|
11
11
|
**GitHub**: https://github.com/LegionIO/lex-github
|
|
12
12
|
**License**: MIT
|
|
13
|
-
**Version**: 0.3.
|
|
13
|
+
**Version**: 0.3.3
|
|
14
14
|
|
|
15
15
|
## Architecture
|
|
16
16
|
|
|
@@ -28,21 +28,45 @@ Legion::Extensions::Github
|
|
|
28
28
|
│ ├── Comments # CRUD issue/PR comments
|
|
29
29
|
│ ├── Commits # List, get, compare commits
|
|
30
30
|
│ ├── Branches # Create branches via Git Data API
|
|
31
|
-
│
|
|
31
|
+
│ ├── Contents # Commit multiple files via Git Data API
|
|
32
|
+
│ ├── Actions # Workflows, runs, jobs, artifacts, logs
|
|
33
|
+
│ ├── Checks # Check runs, check suites, annotations
|
|
34
|
+
│ ├── Releases # CRUD releases, release assets
|
|
35
|
+
│ ├── Deployments # CRUD deployments and deployment statuses
|
|
36
|
+
│ ├── RepositoryWebhooks # CRUD repo webhooks, ping, test, deliveries
|
|
37
|
+
│ └── Auth # Composite runner: delegates to App, CredentialStore, OAuth auth modules
|
|
32
38
|
├── App/
|
|
33
|
-
│
|
|
34
|
-
│
|
|
35
|
-
│
|
|
36
|
-
│
|
|
37
|
-
│
|
|
39
|
+
│ ├── Runners/
|
|
40
|
+
│ │ ├── Auth # JWT generation, installation token exchange, list/get installations
|
|
41
|
+
│ │ ├── Webhooks # HMAC signature verification, event parsing
|
|
42
|
+
│ │ ├── Manifest # GitHub App manifest flow (generate, exchange code, manifest URL)
|
|
43
|
+
│ │ ├── Installations # Full installation management (list repos, suspend, delete)
|
|
44
|
+
│ │ └── CredentialStore # Store app credentials and OAuth tokens in Vault
|
|
45
|
+
│ ├── Actors/
|
|
46
|
+
│ │ ├── TokenRefresh # Periodic App installation token refresh
|
|
47
|
+
│ │ └── WebhookPoller # Polls GitHub webhook deliveries
|
|
48
|
+
│ └── Transport/ # AMQP transport (exchanges/queues/messages)
|
|
38
49
|
├── OAuth/
|
|
39
|
-
│
|
|
40
|
-
│
|
|
50
|
+
│ ├── Runners/
|
|
51
|
+
│ │ └── Auth # PKCE + Authorization Code, device code, refresh, revoke
|
|
52
|
+
│ ├── Actors/
|
|
53
|
+
│ │ └── TokenRefresh # Periodic OAuth delegated token refresh
|
|
54
|
+
│ └── Transport/ # AMQP transport (exchanges/queues)
|
|
55
|
+
├── Middleware/
|
|
56
|
+
│ ├── RateLimit # Tracks rate-limit headers, skips exhausted credentials
|
|
57
|
+
│ ├── ScopeProbe # Detects scope-denied 403s for specific owner/repo
|
|
58
|
+
│ └── CredentialFallback # Triggers fallback to next credential source on auth failure
|
|
41
59
|
├── Helpers/
|
|
42
60
|
│ ├── Client # 8-source scope-aware credential resolution chain + Faraday builder
|
|
43
61
|
│ ├── Cache # Two-tier read-through/write-through API response caching
|
|
44
62
|
│ ├── TokenCache # Token lifecycle management (store, fetch, expiry, rate limits)
|
|
45
|
-
│
|
|
63
|
+
│ ├── ScopeRegistry # Credential-to-scope authorization cache (org/repo level)
|
|
64
|
+
│ ├── BrowserAuth # Delegated OAuth orchestrator (PKCE, headless detection, browser launch)
|
|
65
|
+
│ └── CallbackServer # Ephemeral TCP server for OAuth redirect callback
|
|
66
|
+
├── CLI/
|
|
67
|
+
│ ├── Auth # `legion lex exec github auth login/status`
|
|
68
|
+
│ ├── App # `legion lex exec github app setup/complete_setup`
|
|
69
|
+
│ └── Runner # CLI dispatch registration
|
|
46
70
|
└── Client # Standalone client class (includes all runners)
|
|
47
71
|
```
|
|
48
72
|
|
|
@@ -63,12 +87,16 @@ Rate-limited credentials are skipped. Scope-denied credentials (for a given owne
|
|
|
63
87
|
|
|
64
88
|
| Gem | Purpose |
|
|
65
89
|
|-----|---------|
|
|
66
|
-
| `faraday` | HTTP client for GitHub REST API |
|
|
67
|
-
| `jwt` (
|
|
90
|
+
| `faraday` (>= 2.0) | HTTP client for GitHub REST API |
|
|
91
|
+
| `jwt` (>= 2.7) | RS256 JWT generation for GitHub App authentication |
|
|
68
92
|
| `base64` (>= 0.1) | PKCE code challenge computation |
|
|
69
|
-
| `legion-cache` | Two-tier caching (global Redis + local in-memory) |
|
|
70
|
-
| `legion-crypt` | Vault secret resolution for credentials |
|
|
71
|
-
| `legion-
|
|
93
|
+
| `legion-cache` (>= 1.3.11) | Two-tier caching (global Redis + local in-memory) |
|
|
94
|
+
| `legion-crypt` (>= 1.4.9) | Vault secret resolution for credentials |
|
|
95
|
+
| `legion-data` (>= 1.4.17) | Data persistence |
|
|
96
|
+
| `legion-json` (>= 1.2.1) | JSON serialization |
|
|
97
|
+
| `legion-logging` (>= 1.3.2) | Logging |
|
|
98
|
+
| `legion-settings` (>= 1.3.14) | Settings-based credential resolution |
|
|
99
|
+
| `legion-transport` (>= 1.3.9) | AMQP transport for actors |
|
|
72
100
|
|
|
73
101
|
## Key Files
|
|
74
102
|
|
|
@@ -80,15 +108,20 @@ Rate-limited credentials are skipped. Scope-denied credentials (for a given owne
|
|
|
80
108
|
| `lib/legion/extensions/github/helpers/cache.rb` | Two-tier API response caching |
|
|
81
109
|
| `lib/legion/extensions/github/helpers/token_cache.rb` | Token lifecycle + rate limit tracking |
|
|
82
110
|
| `lib/legion/extensions/github/helpers/scope_registry.rb` | Credential-to-scope authorization cache |
|
|
111
|
+
| `lib/legion/extensions/github/helpers/browser_auth.rb` | OAuth PKCE browser launch + headless detection |
|
|
112
|
+
| `lib/legion/extensions/github/helpers/callback_server.rb` | Ephemeral TCP server for OAuth redirect |
|
|
83
113
|
| `lib/legion/extensions/github/app/runners/auth.rb` | JWT generation, installation tokens |
|
|
84
114
|
| `lib/legion/extensions/github/app/runners/webhooks.rb` | Webhook signature verification, event parsing |
|
|
85
115
|
| `lib/legion/extensions/github/app/runners/manifest.rb` | GitHub App manifest registration flow |
|
|
86
116
|
| `lib/legion/extensions/github/app/runners/installations.rb` | Installation management |
|
|
117
|
+
| `lib/legion/extensions/github/app/runners/credential_store.rb` | Store app/OAuth credentials in Vault |
|
|
87
118
|
| `lib/legion/extensions/github/oauth/runners/auth.rb` | OAuth PKCE, device code, token refresh/revoke |
|
|
119
|
+
| `lib/legion/extensions/github/runners/auth.rb` | Composite auth runner (delegates to app + oauth + credential_store) |
|
|
120
|
+
| `lib/lex/github.rb` | Redirect shim for `require 'lex/github'` |
|
|
88
121
|
|
|
89
122
|
## Testing
|
|
90
123
|
|
|
91
|
-
|
|
124
|
+
234 specs across 38 spec files.
|
|
92
125
|
|
|
93
126
|
```bash
|
|
94
127
|
bundle install
|
|
@@ -15,6 +15,7 @@ module Legion
|
|
|
15
15
|
|
|
16
16
|
CREDENTIAL_RESOLVERS = %i[
|
|
17
17
|
resolve_vault_delegated resolve_settings_delegated
|
|
18
|
+
resolve_broker_app
|
|
18
19
|
resolve_vault_app resolve_settings_app
|
|
19
20
|
resolve_vault_pat resolve_settings_pat
|
|
20
21
|
resolve_gh_cli resolve_env
|
|
@@ -139,6 +140,23 @@ module Legion
|
|
|
139
140
|
nil
|
|
140
141
|
end
|
|
141
142
|
|
|
143
|
+
def resolve_broker_app
|
|
144
|
+
return nil unless defined?(Legion::Identity::Broker)
|
|
145
|
+
|
|
146
|
+
token = Legion::Identity::Broker.token_for(:github)
|
|
147
|
+
return nil unless token
|
|
148
|
+
|
|
149
|
+
lease = Legion::Identity::Broker.lease_for(:github)
|
|
150
|
+
installation_id = lease&.metadata&.dig(:installation_id) || 'unknown'
|
|
151
|
+
fp = credential_fingerprint(auth_type: :app_installation,
|
|
152
|
+
identifier: "broker_app_#{installation_id}")
|
|
153
|
+
{ token: token, auth_type: :app_installation,
|
|
154
|
+
metadata: { source: :broker, credential_type: :installation_token,
|
|
155
|
+
credential_fingerprint: fp } }
|
|
156
|
+
rescue StandardError => _e
|
|
157
|
+
nil
|
|
158
|
+
end
|
|
159
|
+
|
|
142
160
|
def resolve_vault_app
|
|
143
161
|
return nil unless defined?(Legion::Crypt)
|
|
144
162
|
|