v2 version of action - githubofkrishnadhas/github-access-using-githubapp (#6)

* DEVOPS-265 update python image from 3.10 to 3.11

* DEVOPS-265 incorporated new variables to action workfow updated

* DEVOPS-265 Updated entrypoint script to pass new vars to python

* DEVOPS-265 updated readme

* DEVOPS-265 generate jwt and access token updated py filr

* DEVOPS-265 added codeql and dependabot for action repo

* DEVOPS-265 fix python env issue

* generate token fix

* generate token fix

* generate token fix

* generate token fix and entry point eval

* remove commented items

* adding token to github output to be used as   steps.app-token.outputs.token

* slight modification on output token

* token name issue fixed

* githubapp installation token set to GITHUB_OUTPUT instead of GITHUB_ENV allowing multiple token generations

* Updated README.md DEVOPS-265

Author: githubofkrishnadhas

.github/dependabot.yml

@@ -0,0 +1,25 @@
+version: 2
+updates:
+- package-ecosystem: "pip"
+  directory: /
+  schedule:
+    interval: weekly
+  # Assignees to set on pull requests
+  assignees:
+  - "githubofkrishnadhas"
+  # prefix specifies a prefix for all commit messages. When you specify a prefix for commit messages,
+  # GitHub will automatically add a colon between the defined prefix and the commit message provided the
+  # defined prefix ends with a letter, number, closing parenthesis, or closing bracket.
+  commit-message:
+    prefix: "dependabot python package"
+  # Raise pull requests for version updates to pip against the `main` branch
+  target-branch: "main"
+  # Labels on pull requests for version updates only
+  labels:
+  - "pip dependencies"
+  # Increase the version requirements for Composer only when required
+  versioning-strategy: increase-if-necessary
+  # Dependabot opens a maximum of five pull requests for version updates. Once there are five open pull requests from Dependabot,
+  # Dependabot will not open any new requests until some of those open requests are merged or closed.
+  # Use open-pull-requests-limit to change this limit.
+  open-pull-requests-limit: 10

Dockerfile

@@ -1,5 +1,5 @@
 # Container image that runs your code
-FROM python:3.10-slim-bullseye
+FROM python:3.11-slim-bullseye
 
 WORKDIR /app
 # Copies your code file from your action repository to the filesystem path `/` of the container

README.md

@@ -1,47 +1,144 @@
 # github-access-using-githubapp
-github-access-using-githubapp
 
 Once your GitHub App is installed on an account, you can make it authenticate as an app installation for API requests.
 This allows the app to access resources owned by that installation, as long as the app was granted the necessary repository access and permissions.
 API requests made by an app installation are attributed to the app.
 
-:pushpin:  This action will help in creating github app installation token for both **user accounts** and **Github organizations**
+:pushpin:  This action will help in creating GitHub app installation token for both **user accounts** and **Github organizations**
+
+> [!IMPORTANT]  
+> An installation access token expires after 1 hour. Please find suitable alternative approaches if you have long-running processes..
 
 # Parameters of action
-| Parameter name | Description | Required           |
-|----------------|-------------|--------------------|
-| github_app_private_key | Github App Private key | :heavy_check_mark: |
-| github_app_id | Your GitHub App ID | :heavy_check_mark: |
-| github_account_type | Github account whether `user` account or `organization` | :heavy_check_mark: |
+| Parameter name | Description                                                                                                    | Required          |
+|----------------|----------------------------------------------------------------------------------------------------------------|-------------------|
+| github_app_private_key | Github App Private key                                                                                         | :heavy_check_mark: |
+| github_app_id | Your GitHub App ID                                                                                             | :heavy_check_mark: |
+| owner | Github account owner name. if not specified takes owner of current repository where action is ran              | ❌ |
+| repositories | List of github repositores to generte token for. if not specified takes current repository where action is ran. | ❌ |
+
+* Store your `Github App Id` and `Github App Private key` as github secret and pass the secret names as inputs for action.
 
-* Store your `Github App Id` and `Github App Private key` as github secret and pass the secret names as inuts for action.
+* ❌ 👉 Means optional values
+
+> [!NOTE]  
+> If the owner is set but repositories are empty, access will include all repositories for that owner.
+> If both the owner and repositories are empty, access will be limited to the current repository.
 
 # What's New
 
 Please refer to the [release](https://github.com/githubofkrishnadhas/github-access-using-githubapp/releases) page for the latest release notes.
 
-# Usage
+# Usage 
 ```commandline
-- uses: githubofkrishnadhas/github-access-using-githubapp@v1
+- uses: githubofkrishnadhas/github-access-using-githubapp@v2
+  id: token-generation
   with:
     # Your GitHub App ID - interger value
     github_app_id: 1234567
 
-    # Github App Private key 
+    # GitHub App Private key 
     github_app_private_key : ''
 
-    # Gituhb account type `user` or `organization` only
-    github_account_type: ''
+    # GitHub account Owner name - Optional
+    owner: ''
+    
+    # GitHub repositories names seperated by comma if more than 1 - optional
+    repositories: ''
 ```
 
 # output
 
-The token generated will be available as a Environment variable `GH_APP_TOKEN` which can be used while running api calls
+* The token generated will be available as a ${{ steps.token-generation.outputs.token }}  which can be used in later stages as required
+
+# Example usages
+
+## Create a token for the current repository
+
+```commandline
+uses: githubofkrishnadhas/github-access-using-githubapp@v2
+  id: token-generation
+  with:
+    github_app_id: ${{ secrets.APP_ID }}
+    github_app_private_key : ${{ secrets.PRIVATE_KEY }}
+```
+* To create a Token in the scope of current repository where action is run, you do not need to specify `owner` or `repositores` 
+* Assuming both GitHub App ID and Private key are present as github secrets with names `APP_ID` and `PRIVATE_KEY`
+* You can substitute your secrets names with above
+* The token generated will be available as a ${{ steps.token-generation.outputs.token }}  which can be used in later stages as required
+
+
+## Create a token for the current user or organization level
+
+```commandline
+uses: githubofkrishnadhas/github-access-using-githubapp@v2
+  id: token-generation
+  with:
+    github_app_id: ${{ secrets.APP_ID }}
+    github_app_private_key : ${{ secrets.PRIVATE_KEY }}
+    owner: 'github'
+```
+* To create a Token in the scope of current user or organization where your Github app has access, you need only to specify `owner`
+* Assuming both GitHub App ID and Private key are present as github secrets with names `APP_ID` and `PRIVATE_KEY`
+* You can substitute your secrets names with above
+* The token generated will be available as a ${{ steps.token-generation.outputs.token }}  which can be used in later stages as required
+
+
+## Create a token for a differnt user or organization scoped to specific repos
+
+```commandline
+uses: githubofkrishnadhas/github-access-using-githubapp@v2
+  id: token-generation
+  with:
+    github_app_id: ${{ secrets.APP_ID }}
+    github_app_private_key : ${{ secrets.PRIVATE_KEY }}
+    owner: 'github'
+    repositories: 'test1,test2,test3'
+```
+* To create a Token in the scope of provided repositories and owner where your Github app has access you need only to specify `owner` and `repositories`
+* The above will generate token which are scoped to repositores named `test1, test2, test3` on `github` org
+* Assuming both GitHub App ID and Private key are present as github secrets with names `APP_ID` and `PRIVATE_KEY`
+* You can substitute your secrets names with above
+* The token generated will be available as a ${{ steps.token-generation.outputs.token }}  which can be used in later stages as required
+
+
+## Using the token generated with other actions
+
+```commandline
+name: Clone Repository
+
+on:
+  workflow_dispatch:
+
+jobs:
+  clone:
+    runs-on: ubuntu-latest
+
+    steps:
+
+    - name: Token generator
+      uses: githubofkrishnadhas/github-access-using-githubapp@v2
+      id: token-generation
+      with:
+        github_app_id: ${{ secrets.APP_ID }}
+        github_app_private_key : ${{ secrets.PRIVATE_KEY }}
+
+    - name: Checkout Repository
+      uses: actions/checkout@v4
+      with:
+        repository: 'devwithkrishna/azure-terraform-modules'
+        token: ${{ steps.token-generation.outputs.token }}
+        fetch-depth: 1
+```
+* The above workflow generates a github app installation access token using the action - `githubofkrishnadhas/github-access-using-githubapp@v2`
+* The token generated will be available as a ${{ steps.token-generation.outputs.token }}  which can be used in later stages as shown above
+* The workflow is to clone a repository named `azure-terraform-modules` inside `devwithkrishna` organization
+
 
 # References
 
-[generating-an-installation-access-token](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app#generating-an-installation-access-token)
-[get-a-user-installation-for-the-authenticated-app](https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app)
-[get-a-repository-installation-for-the-authenticated-app](https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app)
+* [generating-an-installation-access-token](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app#generating-an-installation-access-token)
+* [get-a-user-installation-for-the-authenticated-app](https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app)
+* [get-a-repository-installation-for-the-authenticated-app](https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app)
 
 All the above API's uses [JWT](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app#authenticating-as-a-github-app) as access token.

action.yml

@@ -10,12 +10,19 @@ inputs:
     required: true
   github_app_private_key:
     description: "Github App private key"
-  github_account_type:
-    description: "Github account user or organization"
+    required: true
+  owner:
+    description: "The owner of the GitHub App installation. If empty, defaults to the current repository owner"
+    required: false
+  repositories:
+    description: "Comma-separated list of repositories to grant access to"
+    required: false
+
 runs:
   using: 'docker'
   image: 'Dockerfile'
   args:
     - ${{ inputs.github_app_id }}
     - ${{ inputs.github_app_private_key }}
-    - ${{ inputs.github_account_type }}
+    - ${{ inputs.owner }}
+    - ${{ inputs.repositories }}

entrypoint.sh

@@ -3,7 +3,26 @@
 # installng pipenv and creating pipenv venv
 cd /app && pipenv install --skip-lock
 
-# run python program to generate token
-pipenv run python3 /app/generate_jwt.py --github_app_id "$1" --github_app_private_key "$2" --github_account_type "$3"
+# Capture arguments
+GITHUB_APP_ID="$1"
+GITHUB_APP_PRIVATE_KEY="$2"
+OWNER="$3"
+REPOSITORIES="$4"
+
+# Build the command based on available parameters
+CMD="pipenv run python3 /app/generate_jwt.py --github_app_id \"$GITHUB_APP_ID\" --github_app_private_key \"$GITHUB_APP_PRIVATE_KEY\""
+
+if [ -n "$OWNER" ]; then
+    CMD="$CMD --owner \"$OWNER\""
+fi
+
+if [ -n "$REPOSITORIES" ]; then
+    CMD="$CMD --repositories \"$REPOSITORIES\""
+fi
+
+# Print and execute the command
+echo "Executing command: $CMD"
+eval "$CMD"
+