GitHub App integration
To perform changes in GitHub repositories programatically, our software needs access to private github repositories. The "correct" way to do this is by using a "GitHub App".
A GitHub app is basically an OAuth client (with a client id and secret/private key), that can be used to authenticate to github. The app can then be "installed" into a github organization, and granted the proper permissions. Advantages of using a github app are:
- No long-living credentials like a Github personal access token
- No need for a 'machine' github user to create tokens, taking up an extra license
- Granular access to repo's and restricted permissions (least priviledge)
We use a Github app in Admin and Onboarding. Both need to create and update files in the 'deepdesk-config' repository when deploying accounts and configuration. Both apps use a client id and private key to authenticate as the app and then create a short-lived access token to perform github api calls.
For an example of how this works in Python, see:
https://medium.com/@gilharomri/github-app-bot-with-python-ea38811d7b14
Access and Configurationβ
To configure the permissions that app has, github has a nice configuration page.
https://github.com/organizations/Deepdesk/settings/installations/54493506
Here you can add repo's that the app needs access to, and configure the permissions it will have on those repo's.