Draft
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds GitHub App–based authentication (in addition to PATs) to the charm and the embedded github-runner-manager, including Juju secret handling for the App private key and corresponding docs/tests.
Changes:
- Introduces
GitHubTokenAuth/GitHubAppAuthmodels and migratesGitHubConfigurationfromtokentoauth. - Extends charm config/state translation to validate mutually exclusive PAT vs App auth and fetch the App private key from a Juju secret.
- Updates unit/integration tests, documentation, changelog, and CI to cover GitHub App auth.
Reviewed changes
Copilot reviewed 28 out of 28 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/test_factories.py | Updates factory tests to use GitHubConfiguration(auth=...) and adds coverage for selecting auth model. |
| tests/unit/test_charm_state.py | Adds unit tests for PAT-only, App-only, partial App config, and invalid combinations. |
| tests/unit/test_charm.py | Expands config-changed flush/no-flush tests to include new GitHub App config options. |
| tests/unit/factories.py | Adds default values for new GitHub App config options in test factories. |
| tests/unit/conftest.py | Extends the complete_charm_state fixture with new auth-related fields. |
| src/factories.py | Plumbs auth selection into application configuration creation (GitHubConfiguration.auth). |
| src/charm_state.py | Implements PAT/App auth validation and secret lookup for the GitHub App private key; exposes GithubConfig.auth. |
| src/charm.py | Tracks new GitHub App config values in stored state and triggers flush on changes. |
| github-runner-manager/tox.ini | Allows passing GitHub App credential env vars into tox integration runs. |
| github-runner-manager/tests/unit/test_github_client.py | Updates client tests for new constructor and validates PyGithub auth initialization calls. |
| github-runner-manager/tests/unit/test_config.py | Updates config YAML shape and adds validation tests for auth models. |
| github-runner-manager/tests/unit/platform/test_github_provider.py | Ensures platform build uses GitHubConfiguration.auth to construct GithubClient. |
| github-runner-manager/tests/unit/platform/test_factory.py | Updates platform factory test to use GitHubConfiguration(auth=...). |
| github-runner-manager/tests/integration/test_github_app_auth.py | Adds integration test exercising JIT token retrieval via GitHub App auth. |
| github-runner-manager/tests/integration/factories.py | Updates integration config factory to emit github_config.auth.token structure. |
| github-runner-manager/tests/conftest.py | Adds pytest CLI options/env defaults for GitHub App integration credentials. |
| github-runner-manager/src/github_runner_manager/platform/github_provider.py | Switches platform build to pass github_configuration.auth into GithubClient. |
| github-runner-manager/src/github_runner_manager/github_client.py | Refactors GithubClient to accept GitHubAuth and build PyGithub auth accordingly. |
| github-runner-manager/src/github_runner_manager/configuration/github.py | Adds auth model types and replaces GitHubConfiguration.token with auth. |
| github-runner-manager/src/github_runner_manager/configuration/init.py | Exports new GitHub auth models/types from the configuration package. |
| github-runner-manager/pyproject.toml | Bumps github-runner-manager version to 0.18.0. |
| docs/reference/token-scopes.md | Documents GitHub App authentication and required permissions alongside PAT scopes. |
| docs/reference/charm-architecture.md | Updates architecture docs to reflect PAT or GitHub App credentials. |
| docs/how-to/change-token.md | Updates how-to to cover switching/rotating GitHub App auth as well as PATs. |
| docs/explanation/security.md | Updates security guidance to prefer GitHub App auth and Juju secret storage. |
| docs/changelog.md | Adds a user-facing changelog entry for GitHub App auth support. |
| charmcraft.yaml | Adds new charm config options for GitHub App auth and tidies whitespace. |
| .github/workflows/test_github_runner_manager.yaml | Adds the new GitHub App auth integration test module to the workflow matrix and passes additional secrets. |
github-runner-manager/src/github_runner_manager/github_client.py
Outdated
Show resolved
Hide resolved
# Conflicts: # github-runner-manager/pyproject.toml # src/manager_service.py
| unit_dir.mkdir(parents=True, exist_ok=True) | ||
| path = unit_dir / "config.yaml" | ||
| with open(path, "w+", encoding="utf-8") as file: | ||
| fd = os.open(path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600) |
There was a problem hiding this comment.
os.open(..., 0o600) only applies the 0600 mode when the file is created; if config.yaml already exists (e.g., from a previous revision) with broader permissions, this will truncate it but keep the old mode, potentially leaving GitHub credentials readable by other users. Consider explicitly enforcing permissions after opening/writing (e.g., os.fchmod(fd, 0o600) or path.chmod(0o600)) so the file is always 0600.
Suggested change
| fd = os.open(path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600) | |
| fd = os.open(path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600) | |
| os.fchmod(fd, 0o600) |
| ## Changing the token | ||
| ## GitHub app authentication | ||
|
|
||
| Create a [GitHub App](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app) with the required permissions and install it on the target organisation or repository. |
There was a problem hiding this comment.
US English spelling: “organisation” should be “organization”.
Suggested change
| Create a [GitHub App](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app) with the required permissions and install it on the target organisation or repository. | |
| Create a [GitHub App](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app) with the required permissions and install it on the target organization or repository. |
| This approach ensures that all code from external contributors is reviewed by trusted users before execution on self-hosted runners. | ||
|
|
||
| ## Permission for GitHub app or personal access token | ||
| ## Permissions for GitHub app or personal access token |
There was a problem hiding this comment.
Capitalize the GitHub product name consistently: “GitHub app” should be “GitHub App”.
Suggested change
| ## Permissions for GitHub app or personal access token | |
| ## Permissions for GitHub App or personal access token |
| [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens). | ||
|
|
||
| ## Fine grained access token scopes | ||
| ## GitHub app authentication |
There was a problem hiding this comment.
Capitalize the GitHub product name consistently in headings: “GitHub app authentication” should be “GitHub App authentication”.
Suggested change
| ## GitHub app authentication | |
| ## GitHub App authentication |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Applicable spec:
Overview
Add GitHub App authentication
Rationale
Juju Events Changes
Module Changes
Library Changes
Checklist
urgent,trivial,complex).github-runner-manager/pyproject.toml.