github-org-manager 0.5.2__tar.gz → 0.5.4__tar.gz

{github_org_manager-0.5.2 → github_org_manager-0.5.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: github-org-manager
-Version: 0.5.2
+Version: 0.5.4
 Summary: Manage a GitHub Organization, its teams, repository permissions, and more
 Home-page: https://github.com/OpenRailAssociation/github-org-manager
 License: Apache-2.0
@@ -83,6 +83,20 @@ Inside [`config/example`](./config/example), you can find an example configurati
 
 You may also be interested in the [live configuration of the OpenRail Association's organization](https://github.com/OpenRailAssociation/openrail-org-config).
 
+### Authentication via token or app
+
+As this tool issues many API requests (both on REST and GraphQL API), authentication is highly recommended. This is supported via personal access tokens of a user (PAT) or a GitHub App which you can setup yourself.
+
+Access tokens and apps need the following permissions:
+* Repository permissions
+  * Administration: read and write
+  * Metadata: read
+* Organization permissions:
+  * Administration: read and write
+  * Members: read and write
+
+You can set the required secrets in `config/app.yaml` or via environment variables (`GITHUB_TOKEN` or `GITHUB_APP_ID` and `GITHUB_APP_PRIVATE_KEY`).
+
 ## Run the program
 
 You can execute the program using the command `gh-org-mgr`. `gh-org-mgr --help` shows all available arguments and options.

{github_org_manager-0.5.2 → github_org_manager-0.5.4}/README.md

@@ -54,6 +54,20 @@ Inside [`config/example`](./config/example), you can find an example configurati
 
 You may also be interested in the [live configuration of the OpenRail Association's organization](https://github.com/OpenRailAssociation/openrail-org-config).
 
+### Authentication via token or app
+
+As this tool issues many API requests (both on REST and GraphQL API), authentication is highly recommended. This is supported via personal access tokens of a user (PAT) or a GitHub App which you can setup yourself.
+
+Access tokens and apps need the following permissions:
+* Repository permissions
+  * Administration: read and write
+  * Metadata: read
+* Organization permissions:
+  * Administration: read and write
+  * Members: read and write
+
+You can set the required secrets in `config/app.yaml` or via environment variables (`GITHUB_TOKEN` or `GITHUB_APP_ID` and `GITHUB_APP_PRIVATE_KEY`).
+
 ## Run the program
 
 You can execute the program using the command `gh-org-mgr`. `gh-org-mgr --help` shows all available arguments and options.

{github_org_manager-0.5.2 → github_org_manager-0.5.4}/gh_org_mgr/_gh_api.py

@@ -13,20 +13,15 @@ import sys
 import requests
 
 
-def get_github_token(token: str = "") -> str:
-    """Get the GitHub token from config or environment, while environment overrides"""
-    if "GITHUB_TOKEN" in os.environ and os.environ["GITHUB_TOKEN"]:
-        logging.debug("GitHub Token taken from environment variable GITHUB_TOKEN")
-        token = os.environ["GITHUB_TOKEN"]
-    elif token:
-        logging.debug("GitHub Token taken from app configuration file")
-    else:
-        sys.exit(
-            "No token set for GitHub authentication! Set it in config/app_config.yaml "
-            "or via environment variable GITHUB_TOKEN"
-        )
-
-    return token
+def get_github_secrets_from_env(env_variable: str, secret: str | int) -> str:
+    """Get GitHub secrets from config or environment, while environment overrides"""
+    if env_variable in os.environ and os.environ[env_variable]:
+        logging.debug("GitHub secret taken from environment variable %s", env_variable)
+        secret = os.environ[env_variable]
+    elif secret:
+        logging.debug("GitHub secret taken from app configuration file")
+
+    return str(secret)
 
 
 # Function to execute GraphQL query
@@ -51,10 +46,12 @@ def run_graphql_query(query, variables, token):
         return json_return
 
     # Debug information in case of errors
-    print(
-        f"Query failed with HTTP error code '{request.status_code}' when running "
-        f"this query: {query}\n"
-        f"Return: {json_return}\n"
-        f"Headers: {request.headers}"
+    logging.error(
+        "Query failed with HTTP error code '%s' when running this query: %s\n"
+        "Return: %s\nHeaders: %s",
+        request.status_code,
+        query,
+        json_return,
+        request.headers,
     )
     sys.exit(1)

{github_org_manager-0.5.2 → github_org_manager-0.5.4}/gh_org_mgr/_gh_org.py

@@ -8,13 +8,19 @@ import logging
 import sys
 from dataclasses import asdict, dataclass, field
 
-from github import Github, GithubException, UnknownObjectException
+from github import (
+    Auth,
+    Github,
+    GithubException,
+    GithubIntegration,
+    UnknownObjectException,
+)
 from github.NamedUser import NamedUser
 from github.Organization import Organization
 from github.Repository import Repository
 from github.Team import Team
 
-from ._gh_api import get_github_token, run_graphql_query
+from ._gh_api import get_github_secrets_from_env, run_graphql_query
 
 
 @dataclass
@@ -24,6 +30,8 @@ class GHorg:  # pylint: disable=too-many-instance-attributes, too-many-lines
     gh: Github = None  # type: ignore
     org: Organization = None  # type: ignore
     gh_token: str = ""
+    gh_app_id: str | int = ""
+    gh_app_private_key: str = ""
     default_repository_permission: str = ""
     current_org_owners: list[NamedUser] = field(default_factory=list)
     configured_org_owners: list[str] = field(default_factory=list)
@@ -56,18 +64,39 @@ class GHorg:  # pylint: disable=too-many-instance-attributes, too-many-lines
         # supported, or multiple spaces etc.
         return team.replace(" ", "-")
 
-    def login(self, orgname: str, token: str) -> None:
-        """Login to GH, gather org data"""
-        self.gh_token = get_github_token(token)
-        self.gh = Github(self.gh_token)
-        logging.debug("Logged in as %s", self.gh.get_user().login)
+    def login(
+        self, orgname: str, token: str = "", app_id: str | int = "", app_private_key: str = ""
+    ) -> None:
+        """Login to GH via PAT or App, gather org data"""
+        # Get all login data from config and environment
+        self.gh_token = get_github_secrets_from_env(env_variable="GITHUB_TOKEN", secret=token)
+        self.gh_app_id = get_github_secrets_from_env(env_variable="GITHUB_APP_ID", secret=app_id)
+        self.gh_app_private_key = get_github_secrets_from_env(
+            env_variable="GITHUB_APP_PRIVATE_KEY", secret=app_private_key
+        )
+
+        # Decide how to login. If app set, prefer this
+        if self.gh_app_id and self.gh_app_private_key:
+            logging.debug("Logged in via app %s", self.gh_app_id)
+            auth = Auth.AppAuth(app_id=self.gh_app_id, private_key=self.gh_app_private_key)
+            app = GithubIntegration(auth=auth)
+            installation = app.get_installations()[0]
+            self.gh = installation.get_github_for_installation()
+        elif self.gh_token:
+            logging.debug("Logging in as user with PAT")
+            self.gh = Github(auth=Auth.Token(self.gh_token))
+            logging.debug("Logged in as %s", self.gh.get_user().login)
+        else:
+            logging.error("No GitHub token or App ID+private key provided")
+            sys.exit(1)
+
         self.org = self.gh.get_organization(orgname)
         logging.debug("Gathered data from organization '%s' (%s)", self.org.login, self.org.name)
 
     def ratelimit(self):
-        """Get current rate limit"""
+        """Print current rate limit"""
         core = self.gh.get_rate_limit().core
-        logging.debug(
+        logging.info(
             "Current rate limit: %s/%s (reset: %s)", core.remaining, core.limit, core.reset
         )
 
@@ -917,7 +946,7 @@ class GHorg:  # pylint: disable=too-many-instance-attributes, too-many-lines
         permissions using the GraphQL API"""
         # TODO: Consider doing this for all repositories at once, but calculate
         # costs beforehand
-        query = """
+        graphql_query = """
             query($owner: String!, $name: String!, $cursor: String) {
                 repository(owner: $owner, name: $name) {
                     collaborators(first: 100, after: $cursor) {
@@ -944,7 +973,7 @@ class GHorg:  # pylint: disable=too-many-instance-attributes, too-many-lines
 
         while has_next_page:
             logging.debug("Requesting collaborators for %s", repo.name)
-            result = run_graphql_query(query, variables, self.gh_token)
+            result = run_graphql_query(graphql_query, variables, self.gh_token)
             try:
                 collaborators.extend(result["data"]["repository"]["collaborators"]["edges"])
                 has_next_page = result["data"]["repository"]["collaborators"]["pageInfo"][

{github_org_manager-0.5.2 → github_org_manager-0.5.4}/gh_org_mgr/manage.py

@@ -112,7 +112,12 @@ def main():
         )
 
         # Login to GitHub with token, get GitHub organisation
-        org.login(cfg_org.get("org_name", ""), cfg_app.get("github_token", ""))
+        org.login(
+            orgname=cfg_org.get("org_name", ""),
+            token=cfg_app.get("github_token", ""),
+            app_id=cfg_app.get("github_app_id", ""),
+            app_private_key=cfg_app.get("github_app_private_key", ""),
+        )
         # Get current rate limit
         org.ratelimit()
 

{github_org_manager-0.5.2 → github_org_manager-0.5.4}/pyproject.toml

@@ -4,7 +4,7 @@
 
 [tool.poetry]
 name = "github-org-manager"
-version = "0.5.2"
+version = "0.5.4"
 description = "Manage a GitHub Organization, its teams, repository permissions, and more"
 authors = ["Max Mehl <max.mehl@deutschebahn.com>"]
 readme = "README.md"