Canarys | IT Services

Blogs

Authenticating as a GitHub App in a GitHub Actions workflow

Share

GitHub Apps:

GitHub Apps are first-class actors within GitHub. A GitHub App acts on its own behalf, taking actions via the API directly using its own identity, which means you don’t need to maintain a bot or service account as a separate user. If you don’t need to perform actions on behalf of a user, a GitHub Apps might be the right choice for you. You can create and register a GitHub App under your personal account or under any organization you have administrative access.

Steps to create a GitHub Application:

  1. Navigate to the setting page, expand the Developer settings generally, in GitHub we can see two types to create an application GitHub Apps and OAuth apps, Make sure that you’re on the GitHub Apps page click on the New GitHub App.
  2. An application can be owned by an individual user account, or an organization. If you’re using this for work, I’d recommend creating the application under your org.
  3. Provide The GitHub App name and description as per your understanding.
  4. You’ll also need to provide a homepage URL, but this isn’t used by a call back workflow at all, so put in any URL you like.
  5. You don’t need to provide a Call-back URL or Setup URL, and you’ll want to make sure that webhooks are deactivated.
  6. Repository permissions, Organization permissions and/or User permissions should be set to allow the access required for the token that will be issued.
  7. Once Create your application and save your App ID and Private Key in a safe place as you’ll need them both in the configuration. You’ll also need to install it on your account or organization before using it to create authentication tokens.

          App-1

Authentication:

Once you have the GitHub Application created, you will need to install the application on the target organization level or repositories level that you want it to have access to. These will be any repositories that you want to gather information from or want the application to modify as per the scopes that were defined when the application was installed. To use the below workflow action you’ll need to create two secrets in your repository level or organization level APPLICATION_ID and APPLICATION_PRIVATE_KEY using the details you saved when creating an application.

          App-2

Add the below jobs in your workflow:

        App-3

Benefits of using GitHub Application:

  • Regarding security, they give you the time-limited tokens and granular privileges that GITHUB TOKEN gives, as well as the ability to avoid rotating credentials and more.
  • Application tokens are valid for a very short amount of time. By Using the above action, the token is valid for 60 seconds from the moment it’s created. This means that even if it’s leaked by an action, it will be useless almost immediately.
  • There’s no shared account for people to log in to, as this is an application and not an account

Limitations:

  • The user must be an organization owner to create and install a GitHub app in an organization.
  • Each organization can only own up to 100 GitHub Apps.

Conclusion:

Generate credentials with a GitHub App, you can perform actions as a user and mainly It solves the main problems with GITHUB_TOKEN like triggering new workflow runs, posting as an identity other than github [bot] without any of the issues that a PAT introduces.

Reference action repository url : https://github.com/ramesh2051/workflow-application-token-action

Leave a Reply

Your email address will not be published. Required fields are marked *

Reach Us

With Canarys,
Let’s Plan. Grow. Strive. Succeed.