Merge pull request #8 from sagikazarmark/githubapp

Add support for installation tokens issued using GitHub Apps

Author: stoader

README.md

@@ -25,6 +25,7 @@ This library provides a unified interface for obtaining and refreshing credentia
     * [OAuth2 Authorization Code](#oauth2-authorization-code-flow-provider)
     * [OAuth2 Client Credentials](#oauth2-client-credentials-flow-provider)
     * [Vault Provider](#vault-credentials-provider)
+    * [GitHub App Provider](#github-app-credentials-provider)
 * [Channel Behavior](#channel-behavior)
 * [License](#license)
 * [Contributing](#contributing)
@@ -42,6 +43,7 @@ This library provides a unified interface for obtaining and refreshing credentia
 - **OAuth2AC:** Obtains access tokens through OAuth2 authorization code flow and refreshes them before expiration
 - **OAuth2CC:** Obtains access tokens through OAuth2 client credentials flow and refreshes them before expiration
 - **Vault** Exchanges ID tokens for secrets from Vault using Vault's JWT authentication.
+- **GitHub App:** Mints GitHub App installation access tokens by signing a JWT with the App's private key and refreshes them before expiration.
 
 ## Installation
 
@@ -744,6 +746,54 @@ go func() {
 // wg.Wait()
 ```
 
+### GitHub App Credentials Provider
+
+```go
+import (
+    "os"
+
+    "github.com/google/go-github/v66/github"
+
+    "go.riptides.io/tokenex/pkg/credential"
+    "go.riptides.io/tokenex/pkg/githubapp"
+)
+
+// Source the App's private key however you like (env var shown; could be a file,
+// k8s secret, Vault, etc.) and parse it once.
+key, err := githubapp.ParsePrivateKey([]byte(os.Getenv("GITHUB_APP_PRIVATE_KEY")))
+if err != nil {
+    log.Fatalf("parse private key: %v", err)
+}
+
+provider, err := githubapp.NewCredentialsProvider(ctx, logr.Discard())
+if err != nil {
+    log.Fatalf("new provider: %v", err)
+}
+
+credCh, err := provider.GetCredentials(ctx,
+    githubapp.WithAppID(123456),
+    githubapp.WithInstallationID(7890123),
+    githubapp.WithPrivateKey(key),
+    // Optional: scope the token to specific repos / permissions.
+    // githubapp.WithRepositories([]string{"repo-a"}),
+    // githubapp.WithPermissions(&github.InstallationPermissions{Contents: github.String("read")}),
+    // Optional: GitHub Enterprise Server.
+    // githubapp.WithBaseURL("https://github.example.com/api/v3"),
+)
+if err != nil {
+    log.Fatalf("get credentials: %v", err)
+}
+
+for cred := range credCh {
+    if cred.Err != nil {
+        log.Printf("github app token error: %v", cred.Err)
+        break
+    }
+    tok := cred.Credential.(*credential.Token)
+    log.Printf("got installation token, expires %s", tok.ExpiresAt)
+}
+```
+
 ## Channel Behavior
 
 All credential providers in this library follow a consistent pattern for credential delivery:

go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sts v1.34.0
 	github.com/go-logr/logr v1.4.3
 	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/google/go-github/v66 v66.0.0
 	github.com/openbao/openbao/api/auth/jwt/v2 v2.5.0
 	github.com/openbao/openbao/api/v2 v2.5.0
 	github.com/werbenhu/eventbus v1.0.8
@@ -57,6 +58,7 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect