Webhooks: trigger GitHub APIs using App Installation Tokens instead of PATs | Voters

Webhooks: trigger GitHub APIs using App Installation Tokens instead of PATs

closed

To be able to use the GitHub App mechanism to trigger API endpoints for the webhooks you need to be enable to store the GitHub App's certificate in the pactflow broker. 
Besides the certificate also the GitHub App's identifier / installation id needs to be stored.
Once the certificate is available, the following steps need to be consider for authentication:
1.
Generate and sign a JWT token using the app's private key:
https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app
This token is valid for maximum 10 minutes.
2.
Use the JWT token from step 1 and create an installation token:
https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation
$ curl -i -X POST -H "Authorization: Bearer YOUR_JWT" -H "Accept: application/vnd.github+json" https://api.github.com/app/installations/:installation_id/access_tokens
This Bearer Token is valid for 60 minutes
3.
Call the webhook/GitHub API with the Bearer Token from step 2.
Thanks

September 14, 2022

Yousaf Nabi

marked this post as

closed

Tracking via linked GitHub issue - https://github.com/pact-foundation/pact_broker/issues/690