logo

The Definitive Guide for Authenticating a GitHub App

The best way to setup an octokit instance so that it can interact with the API on your behalf.
profile photo
Jason Laster
Image without caption
Yesterday we published a post on how we debugged GitHub’s Auth flow in order to be able to programmatically manage PR Checks.
At a high level there were 7 steps:
  1. Create an App
  1. Create a private key
  1. Install the App
  1. Create a JWT with a reasonable expiration and app id
  1. Use the JWT and the installation id to create a token
  1. Use the token to create the Check Run
  1. profit
And there was some really crazy stuff in there. First signing a JWT is no joke and then fetching an access_token for the installation is not simple either. And this approach came straight from GitHub’s docs.
So, after meeting with Gregor who built a big chunk of the octokit SDK, I learned there’s a much simpler way to do it.
The simpler way boils down to four steps
  1. Create an @octokit/app App
  1. Fetch the installation id for the repo you want to talk to
  1. Create an octokit instance for the given installation
  1. profit
javascript
const { App } = require("@octokit/app"); const dotenv = require("dotenv"); dotenv.config({ path: "./.env.local" }); (async () => { const appId = 274973; const owner = "replayio"; const repo = "devtools"; const app = new App({ appId, privateKey: process.env.PEM }); // First we need to get the installation id for the repo const { data: installation } = await app.octokit.request( `GET /repos/${owner}/${repo}/installation` ); // Then we can get an octokit instance for the installation const octokit = await app.getInstallationOctokit(installation.id); // Then we go nuts const { data: issues } = await octokit.request( `GET /repos/${owner}/${repo}/issues` ); console.log(issues); })();

Loom Walk Through

Related posts
post image
In this failure, we look into a bug where a React component calls Math.round and gets a different value when the test passes and fails!
post image
Even seemingly minor changes to your code can have unexpected consequences for your e2e tests. We have been repeatedly learning this lesson while helping Metabase drive down their e2e test flakes.
post image
Test flakiness is annoying, but it can sometimes point to a real problem in the application. This is sometimes referred to as “false positive”. A false positive happens when a test should fail, but instead it passes. Learn how you...
Powered by Notaku