Demystifying GitHub Apps: Using GitHub Apps to Replace Service Accounts | josh-ops

[utterances-bot]

Demystifying GitHub Apps: Using GitHub Apps to Replace Service Accounts | josh-ops

Creating no-code GitHub Apps to install to an organization to replace having to create service accounts or a user PAT for authorization in GitHub Actions

https://josh-ops.com/posts/github-apps/

[maheshglm]

Hi Josh, firstly, thanks for this post. I was looking for the solution that you mentioned in problem statement and I found this post. But, I would like to install this bot or app on our GH Enterprise server, so is using smee.io for this purpose safe ? if not, how can I use this approach. Please advise.

[joshjohanning]

Hey @maheshglm! I just modified this post slightly to be more clear. You don't have to use smee.io, smee.io is only used to help you with examining the webhook payloads. And you bring up a good point, you shouldn't use smee.io for production purposes:

No! Smee is not designed for production use - it is a development and testing tool. Note that channels are not authenticated, so if someone has your channel ID they can see the payloads being sent, so it is not secure for production use.

I made it more clear that you can grab the Installation ID of your App by simply looking at the URL after you installing the app 😄 . See the updated post and extra screenshot!

[maheshglm]

Hi Josh, Thank you very much for the quick response. It's clear now.

[bryanrcampbell]

Extremely useful post - thank you Josh! 👏

[ranouf]

Hi,

Excellent post! Thanks.
I would like to use the github app to restore nuget package from a private github repo owned by my company.
I'm able to generate the github app token but i have a 403 error when I try to restore the nuget packages:

- uses: actions/create-github-app-token@v1
  id: app-token
  with: 
    app-id: ${{ vars.APP_ID }}
    private-key: ${{ secrets.PRIVATE_KEY }}
    # optional: owner not needed IF the app has access to the repo running the workflow
    #   if you get 'RequestError [HttpError]: Not Found 404', pass in owner
    #repositories: ${{ github.event.repository.name }}
- name: Restore .NET project Dependencies
  run: dotnet nuget update source SKDotNetPackages --source "https://nuget.pkg.github.com/sk/index.json" --username ${{ github.event.pull_request.user.login }} --password ${{ steps.app-token.outputs.token }} --store-password-in-clear-text 

  # Restore .NET project Dependencies
- name: Restore .NET project Dependencies
  run: find . -name '*.csproj' -exec dotnet restore {} \;

[joshjohanning]

I'm able to generate the github app token but i have a 403 error when I try to restore the nuget packages:

@ranouf ahh very sadly, GitHub Apps cannot be used to download/restore packages :(

GitHub Packages only supports authentication using a personal access token (classic). For more information, see "Managing your personal access tokens."

It is a little confusing b/c if you look at the Packages APIs, they say they work with Apps, but that's just for listing packages, deleting, etc.

The way to do this today is to use the "Manage Actions access" functionality and add the repo(s) you're running Actions in there.

[qoomon]

To get rid of PAT token completely you can make use of the access-token action

You just need to install the GitHub Access Manager App, create .github/access-token.yaml files and you are good to go.

(You could also self-host the GitHub App server part on you own)

Usage example

name: GitHub Actions Access Manager Example
on:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  checkout:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write

    steps:
      - uses: qoomon/actions--access-token@v3
        id: access-token
        with:
          repository: <TARGET_REPO>
          permissions: |
            contents: read

      - uses: actions/checkout@v4
        with:
          repository: <TARGET_REPO>
          token: ${{ steps.access-token.outputs.token }}

[joshjohanning]

To get rid of PAT token completely you can make use of the access-token action

You just need to install the GitHub Access Manager App, create .github/access-token.yaml files and you are good to go.

(You could also self-host the GitHub App server part on you own)

Oh that's cool! I will have to try that out. Thank you for sharing @qoomon 🙇

[qoomon]

@joshjohanning Looking forward to get some feedback, especially from a security perspective.

[udaygovindarajula1]

Hi Josh, are you saying that the best practices would be to use github apps vs SAs or Tokens?

[joshjohanning]

Hi Josh, are you saying that the best practices would be to use github apps vs SAs or Tokens?

@udaygovindarajula1 It does depend on what you're doing slightly, but generally, yes!

A GitHub App doesn't use a license whereas a "service account user" would. You don't have to manage the username/password/mfa settings with a GitHub App either (just the PEM file, and you can always rotate that if you lose it). Also, GitHub Apps have a higher rate limit than PATs.

The main things that I can think of that a GitHub App cannot do are 1) download/access packages from GitHub Packages and 2) run GitHub Enterprise Importer (GEI) for migrations.