feat: implement GitHub App auth with fallback

Author: hanna-skryl

.gitleaksignore

@@ -0,0 +1 @@
+/github/workspace/src/auth.ts:generic-api-key:8

README.md

@@ -103,6 +103,36 @@ Example of using step outputs:
     echo "Artifact ID is ${{ steps.code-pushup.outputs.artifact-id }}"
 ```
 
+## Authentication
+
+The GitHub Action supports multiple authentication methods to integrate with
+your CI workflows.
+
+### GitHub App authentication (recommended)
+
+For the most seamless authentication experience, we recommend installing the
+[Code PushUp GitHub App](https://github.com/apps/code-pushup-staging).
+
+The action automatically detects the GitHub App installation and uses it for
+enhanced API access. This provides better security through short-lived tokens
+and requires zero configuration on your part.
+
+### Default authentication
+
+If the GitHub App is not installed, the action automatically uses the default
+`GITHUB_TOKEN` provided by GitHub Actions, which works perfectly for most use
+cases.
+
+### Custom authentication
+
+You can provide your own token if you have specific requirements:
+
+```yml
+- uses: code-pushup/github-action@v0
+  with:
+    token: ${{ secrets.YOUR_PAT }}
+```
+
 ## Monorepo mode
 
 By default, the GitHub Action assumes your repository is a standalone project.

__tests__/auth.test.ts

@@ -0,0 +1,75 @@
+import {
+  authenticate,
+  GITHUB_AUTH_API_KEY,
+  GITHUB_AUTH_SERVICE_URL
+} from '../src/auth'
+import { jest } from '@jest/globals'
+
+describe('authenticate', () => {
+  const mockFetch = jest.spyOn(global, 'fetch')
+
+  beforeEach(() => {
+    process.env.GITHUB_TOKEN = 'ghp_default_token'
+    mockFetch.mockClear()
+  })
+
+  it('should use GitHub App authentication when app is installed', async () => {
+    mockFetch.mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: async () => Promise.resolve({ token: 'ghs_app_123' })
+    } as Response)
+
+    const result = await authenticate(
+      { owner: 'dunder-mifflin', repo: 'website' },
+      'ghp_default_token'
+    )
+
+    expect(result).toBe('ghs_app_123')
+    expect(mockFetch).toHaveBeenCalledWith(
+      `${GITHUB_AUTH_SERVICE_URL}/github/dunder-mifflin/website/installation-token`,
+      expect.objectContaining({
+        method: 'POST',
+        headers: { Authorization: `Bearer ${GITHUB_AUTH_API_KEY}` }
+      })
+    )
+  })
+
+  it('should fall back to standard authentication when app is not installed', async () => {
+    mockFetch.mockResolvedValue({
+      ok: false,
+      status: 404,
+      json: async () => Promise.resolve({ error: 'Not installed' })
+    } as Response)
+
+    const result = await authenticate(
+      { owner: 'dunder-mifflin', repo: 'website' },
+      'ghp_default_token'
+    )
+
+    expect(result).toBe('ghp_default_token')
+  })
+
+  it('should fall back to standard authentication when service is unavailable', async () => {
+    mockFetch.mockRejectedValue(new Error('Network error'))
+
+    const result = await authenticate(
+      { owner: 'dunder-mifflin', repo: 'website' },
+      'ghp_default_token'
+    )
+
+    expect(result).toBe('ghp_default_token')
+  })
+
+  it('should use user-provided PAT when different from GITHUB_TOKEN', async () => {
+    const customPAT = 'ghp_custom_pat'
+
+    const result = await authenticate(
+      { owner: 'owner', repo: 'repo' },
+      customPAT
+    )
+
+    expect(result).toBe(customPAT)
+    expect(mockFetch).not.toHaveBeenCalled()
+  })
+})

dist/index.js

@@ -0,0 +1,71 @@
+import * as core from '@actions/core'
+import type { Context } from '@actions/github/lib/context'
+
+// TODO: check production URL?
+export const GITHUB_AUTH_SERVICE_URL =
+  'https://github-auth.staging.code-pushup.dev'
+
+export const GITHUB_AUTH_API_KEY =
+  '18850f2513adad10662e85f4f085a9714e64cef7793fc2ffe903b5ddcd62de42'
+
+type TokenResponse = {
+  token: string
+}
+
+export async function authenticate(
+  { owner, repo }: Context['repo'],
+  token: string
+): Promise<string> {
+  if (token !== process.env.GITHUB_TOKEN) {
+    core.info('Using user-provided PAT')
+    return token
+  }
+  try {
+    const response = await fetch(
+      `${GITHUB_AUTH_SERVICE_URL}/github/${owner}/${repo}/installation-token`,
+      {
+        method: 'POST',
+        headers: {
+          Authorization: `Bearer ${GITHUB_AUTH_API_KEY}`
+        }
+      }
+    )
+    const data = await response.json()
+    if (response.ok && isTokenResponse(data)) {
+      core.info('Using Code PushUp GitHub App installation token')
+      return data.token
+    }
+    handleErrorResponse(response.status)
+  } catch (error) {
+    core.warning(
+      `Unable to contact Code PushUp authentication service: ${error}`
+    )
+  }
+  core.info('Using default GITHUB_TOKEN')
+  return token
+}
+
+function isTokenResponse(res: unknown): res is TokenResponse {
+  return (
+    !!res &&
+    typeof res === 'object' &&
+    'token' in res &&
+    typeof res.token === 'string'
+  )
+}
+
+function handleErrorResponse(status: number): void {
+  switch (status) {
+    case 404:
+      core.debug('Code PushUp GitHub App not installed on this repository')
+      break
+    case 401:
+      core.warning('Code PushUp authentication service authorization failed')
+      break
+    case 500:
+      core.warning('Code PushUp authentication service temporarily unavailable')
+      break
+    default:
+      core.debug(`Code PushUp authentication service returned status ${status}`)
+  }
+}

dist/index.js.map

@@ -6,6 +6,7 @@ import { simpleGit } from 'simple-git'
 import { createAnnotationsFromIssues } from './annotations'
 import { GitHubApiClient } from './api'
 import { REPORT_ARTIFACT_NAME, uploadArtifact } from './artifact'
+import { authenticate } from './auth'
 import { parseInputs } from './inputs'
 import { createOptions } from './options'
 import { parseGitRefs } from './refs'
@@ -44,7 +45,10 @@ export async function run(
   }
 
   const refs = parseGitRefs()
-  const api = new GitHubApiClient(inputs.token, refs, artifact, getOctokit)
+
+  const token = await authenticate(github.context.repo, inputs.token)
+
+  const api = new GitHubApiClient(token, refs, artifact, getOctokit)
 
   const result = await runInCI(refs, api, options, git)