feat: add GitHub code repository provider (GitHub App auth)#5
Open
fedemaleh wants to merge 7 commits into
Open
feat: add GitHub code repository provider (GitHub App auth)#5fedemaleh wants to merge 7 commits into
fedemaleh wants to merge 7 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a GitHub code repository provider (
scripts/code-repo/github/), functionally equivalent to the JSgithub_provider.jsit replaces. Selected withCODE_REPOSITORY_PROVIDER=github. Implements the code-repo interface-by-convention entirely in bash.Auth: GitHub App (not PAT)
Chosen because it is org-owned (not tied to a person) and needs no manual rotation — an installation token is minted per run from the App's private key and expires on its own (~1h).
build_contextsigns an RS256 JWT withopenssl, exchanges it for an installation token (onecurl), exportsGH_TOKEN, and every other call uses theghCLI (auto-installed viamiseif absent).Scripts
build_contextgh(mise) → RS256 JWT (openssl) → installation token → exportGH_TOKENvalidate_repository_does_not_existgh api /repos/...existence check vs create/import strategycreate_repositorygh api POST /repos/{tpl}/generate(import → skip)add_collaboratorscollaborators/{u}; teams →orgs/{org}/teams/{t}/repos/...(non-fatal per item)create_secretsgh secret set(libsodium encryption handled by gh); fatal on failure (matches JS)run_first_buildenableContinuousIntegration: skipdynamic/, cancel in-progress + bounded wait, re-run in-progress/failed, tolerate "cannot be retried"Config (env vars only)
GITHUB_APP_ID,GITHUB_PRIVATE_KEY(PEM),GITHUB_INSTALLATION_ID,GITHUB_ACCOUNT. GitHub.com only. Agent needsgh/openssl/curl; the App needs repo administration, contents, secrets, and actions permissions.Also included
find "$SCRIPT_DIRS"(quoted), so a space-separatedentrypoint scriptswas treated as one path and matched nothing. Split into one job per dir (shellcheck-entrypoint/shellcheck-scripts)..gitignore: ignore.claudeand.env.Accepted deviation from the JS
run_first_buildaborts on the first non-tolerated re-run error (exit 1) rather than aggregating all failures like the JSPromise.allSettled. Equivalent for success and abort-on-failure; multi-failure logging is not replicated (not reasonable in a sourced bash loop).Test plan
CODE_REPOSITORY_PROVIDER=github+ the 4 App env vars; create an application with a GitHub template → repo generated private underGITHUB_ACCOUNT,NP_API_KEYsecret set, collaborators added, CI triggered.Notes
return(skip) vsexit 1(abort), andcreate_secrets/run_first_builduse here-strings soexit 1actually aborts.bash -nand ShellCheck severity=error locally.