Authentication via GitHub Apps

Question

Authentication via GitHub Apps

aaronshurley opened this issue 2 years ago · comments

I'm trying to set up automation for an organization project. Following this guidance, I would need to use a GitHub App for an organization project. Currently, this action's configuration requires a personal access token but I don't believe that will provide access to an organization project. Therefore, I'm requesting the capability of authenticating via a GitHub App.

Please let me know if I have any misunderstandings. Thanks!

Shohei Ueda · Answer 1 · Tue Jul 26 2022 21:37:00 GMT+0800 (China Standard Time)

I also want to know what minimal permissions and scope we add to a GitHub App.

Sully · Answer 2 · Tue Aug 02 2022 02:18:06 GMT+0800 (China Standard Time)

@mattcosta7 running into this issue with a customer of mine. They're using a GitHub app to generate a token, but they're getting the following error when running this action:

Resource not accessible by integration

Matthew Costabile · Answer 3 · Tue Aug 02 2022 02:34:35 GMT+0800 (China Standard Time)

passing this on for triage

Wade Fletcher · Answer 4 · Thu Aug 04 2022 00:46:27 GMT+0800 (China Standard Time)

I would also like to implement this in this way.

Cam McHenry · Answer 5 · Fri Aug 26 2022 23:50:46 GMT+0800 (China Standard Time)

👋 Thank you for reporting this issue! I wanted to post an update here to let you know that we are aware of this issue and have bumped it up in priority and are tracking it in our internal backlog. I'm sorry we don't have a resolution here yet (other than using a PAT), but we are looking into it, and we will post back when we have an update.

Jeroen de Bruijn · Answer 6 · Mon Aug 29 2022 15:53:28 GMT+0800 (China Standard Time)

FWIW I'm using this successfully with GitHub Apps using https://github.com/vidavidorra/github-app-token with following permissions. Example workflow: https://github.com/vidavidorra/roadmap/blob/main/.github/workflows/triage.yml.

workflow code

name: Add issue to project
on:
  issues:
    types: opened
jobs:
  add-issue-to-project:
    name: Add issue to project
    runs-on: ubuntu-latest
    steps:
      - name: Generate token
        id: generate_token
        uses: vidavidorra/github-app-token
        with:
          appId: ${{ secrets.TRIAGE_APP_ID }}
          privateKey: ${{ secrets.TRIAGE_PRIVATE_KEY }}
      - uses: actions/add-to-project@a9f041ddd462ed185893ea1024cec954f50dbe42 # renovate: tag=v0.3.0
        with:
          project-url: https://github.com/orgs/vidavidorra/projects/2
          github-token: ${{ steps.generate_token.outputs.token }}

Jake Hemstad · Answer 7 · Wed Aug 31 2022 10:42:35 GMT+0800 (China Standard Time)

I'm not sure what issues people are running into here, similar to @jdbruijn I was able to get this to work using tibdex/github-app-token that is in the example docs: https://docs.github.com/en/issues/planning-and-tracking-with-projects/automating-your-project/automating-projects-using-actions#github-actions-workflows

Full workflow:

name: Add new issue/PR to project

on:
  issues:
    types:
      - opened

  pull_request_target:
    types:
      - opened

jobs:
  add-to-project:
    name: Add issue or PR to project
    runs-on: ubuntu-latest
    steps:
      - name: Generate token
        id: generate_token
        uses: tibdex/github-app-token@36464acb844fc53b9b8b2401da68844f6b05ebb0
        with:
          app_id: ${{ secrets.CCCL_AUTH_APP_ID }}
          private_key: ${{ secrets.CCCL_AUTH_APP_PEM }}
      - name: Add to Project
        env:
          TOKEN: ${{ steps.generate_token.outputs.token }}
        uses: actions/add-to-project@a9f041ddd462ed185893ea1024cec954f50dbe42
        with:
          project-url: https://github.com/orgs/NVIDIA/projects/6
          github-token: ${{ env.TOKEN }}

Brendan Forster · Answer 8 · Sat Sep 03 2022 02:57:52 GMT+0800 (China Standard Time)

Thanks for your patience with us everyone. I've deployed a fix to the GraphQL API for Projects which should allow private projects to be visible to GitHub Apps where they have been granted read or write permissions to the organization.

I also want to know what minimal permissions and scope we add to a GitHub App.

@peaceiris The GitHub app will need read and write access to the organization to be able to add items to the project:

running into this issue with a customer of mine. They're using a GitHub app to generate a token, but they're getting the following error when running this action: Resource not accessible by integration

@ssulei7 I'd recommend checking they gave the application write access to the organization projects (and also ensured the installation was updated if they changed settings) as this sounds like the GraphQL endpoint being called by the action blocked the app from adding an item to the project.

I'll check back in after the weekend to see if anyone else is still encountering issues in this area.

Sarah Etter · Answer 9 · Wed Oct 12 2022 00:01:00 GMT+0800 (China Standard Time)

Hello! I was pointed here by support from a ticket. We are still encountering this issue when trying to send issues from a private repo to a private project. The GitHub App (which we're using to generate tokens) has been confirmed to have the correct permissions, but we're still getting the Resource not accessible by integration error.

Nat Kershaw (MSFT) · Answer 10 · Fri Jan 06 2023 03:23:02 GMT+0800 (China Standard Time)

If the required usage with org level projects is to use a GitHub app rather than a PAT, can the README please be updated with that info?

Matthew Avaylon · Answer 11 · Fri Jan 06 2023 06:18:53 GMT+0800 (China Standard Time)

@jrhemstad I followed your workflow but I get "Error: Error: Failed to read private key"