Use GitHub App authentication for PublishMcrDocs command

[lbussell]

The Microsoft GitHub org is restricting PAT lifetimes and will eventually require the usage of fine-grained PATs. Current guidance is to migrate all interactions with the Microsoft GitHub org to use a GitHub App by the end of FY25.
 

How to create the app

• Create the app on personal github account
  • Permissions are defined at app creation time - this app probably just needs repo content write access
  • Record the App's Client ID somewhere - probably a pipeline variable group (it can be found on the App's management page)
• Transfer ownership to the dotnet org
• Add .NET containers team members as managers/admins of the App
• Get the app installed on the microsoft org
• Create a private key for the app and store it in our KeyVault
   

How to authenticate as an app

1. Use the app's private key and Client ID to generate a JWT
   • Example: https://github.com/lbussell/gh-app-tester/blob/3455cf66bc08890ac8229fafbcd7c334d7bf6eb1/GitHubAppTester/GitHubHelper.cs#L51-L75
2. Exchange the JWT for an installation-specific token
3. Use the token to authenticate to GitHub as the app

Step 1 is not handled by OctoKit or Dotnet.VersionTools.Automation. For step 2, we could add support for the installation token endpoint to VersionTools, or use OctoKit as a helper to exchange tokens. For step 3, we should be able to use the app installation token just like any other token with the VersionTools client. Migrating entirely to OctoKit is not necessary at this time.

Related

• Add option to publish image-info using GitHub App installation auth rather than account PAT #1637
• https://github.com/dotnet/dotnet-docker-internal/issues/7468

[mthalman]

How is VersionTools involved here? AFAIK, ImageBuilder has no dependency on VersionTools. I see it has a package reference but it looks to be unused.

[lbussell]

How is VersionTools involved here? AFAIK, ImageBuilder has no dependency on VersionTools. I see it has a package reference but it looks to be unused.

It's used here, in PublishMcrDocs command:

docker-tools/src/Microsoft.DotNet.ImageBuilder/src/Commands/PublishMcrDocsCommand.cs

Line 62 in 3e6ff3e

using IGitHubClient gitHubClient = _gitHubClientFactory.GetClient(Options.GitOptions.ToGitHubAuth(), Options.IsDryRun);

docker-tools/src/Microsoft.DotNet.ImageBuilder/src/GitHubClientFactory.cs

Lines 24 to 27 in 3e6ff3e

	public IGitHubClient GetClient(GitHubAuth gitHubAuth, bool isDryRun)
	{
	return new GitHubClientWrapper(_loggerService, new GitHubClient(gitHubAuth), isDryRun);
	}

GitHubClientFactory uses VersionTools as the backend and creates an instance of VersionTools.Automation.GitHubApi.IGitHubClient whereas OctokitClientFactory uses Octokit as the backend and creates an OctoKit.IGitHubClient.

[mthalman]

Ok. Ideally we could remove our dependency on VersionTools. @mmitche had mentioned wanting to end the maintenance of this.

[lbussell]

remove our dependency on VersionTools

I am in favor of that. It can be done separately from this work. Can you file an issue for that?

[mthalman]

remove our dependency on VersionTools

I am in favor of that. It can be done separately from this work. Can you file an issue for that?

#1658