code-pushup
diff --git a/‎__tests__/auth.test.ts‎
Lines changed: 62 additions & 0 deletions b/‎__tests__/auth.test.ts‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎dist/index.js‎
Lines changed: 52 additions & 3 deletions b/‎dist/index.js‎
Lines changed: 52 additions & 3 deletions
diff --git a/‎dist/index.js.map‎
Lines changed: 1 addition & 1 deletion b/‎dist/index.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/auth.ts‎
Lines changed: 66 additions & 0 deletions b/‎src/auth.ts‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎src/main.ts‎
Lines changed: 5 additions & 1 deletion b/‎src/main.ts‎
Lines changed: 5 additions & 1 deletion
@@ -0,0 +1,62 @@
+import {
+  authenticate,
+  GITHUB_AUTH_API_KEY,
+  GITHUB_AUTH_SERVICE_URL
+} from '../src/auth'
+import { jest } from '@jest/globals'
+
+describe('authenticate', () => {
+  const mockFetch = jest.spyOn(global, 'fetch')
+
+  beforeEach(() => {
+    mockFetch.mockClear()
+  })
+
+  it('should use GitHub App authentication when app is installed', async () => {
+    mockFetch.mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: async () => Promise.resolve({ token: 'ghs_app_123' })
+    } as Response)
+
+    const result = await authenticate(
+      { owner: 'dunder-mifflin', repo: 'website' },
+      'fallback_token'
+    )
+
+    expect(result).toBe('ghs_app_123')
+    expect(mockFetch).toHaveBeenCalledWith(
+      `${GITHUB_AUTH_SERVICE_URL}/github/dunder-mifflin/website/installation-token`,
+      expect.objectContaining({
+        method: 'POST',
+        headers: { Authorization: `Bearer ${GITHUB_AUTH_API_KEY}` }
+      })
+    )
+  })
+
+  it('should fall back to standard authentication when app is not installed', async () => {
+    mockFetch.mockResolvedValue({
+      ok: false,
+      status: 404,
+      json: async () => Promise.resolve({ error: 'Not installed' })
+    } as Response)
+
+    const result = await authenticate(
+      { owner: 'dunder-mifflin', repo: 'website' },
+      'fallback_token'
+    )
+
+    expect(result).toBe('fallback_token')
+  })
+
+  it('should fall back to standard authentication when service is unavailable', async () => {
+    mockFetch.mockRejectedValue(new Error('Network error'))
+
+    const result = await authenticate(
+      { owner: 'dunder-mifflin', repo: 'website' },
+      'fallback_token'
+    )
+
+    expect(result).toBe('fallback_token')
+  })
+})
@@ -0,0 +1,66 @@
+import * as core from '@actions/core'
+import type { Context } from '@actions/github/lib/context'
+
+export const GITHUB_AUTH_SERVICE_URL =
+  'https://github-auth.staging.code-pushup.dev'
+
+export const GITHUB_AUTH_API_KEY =
+  '18850f2513adad10662e85f4f085a9714e64cef7793fc2ffe903b5ddcd62de42'
+
+type TokenResponse = {
+  token: string
+}
+
+export async function authenticate(
+  { owner, repo }: Context['repo'],
+  fallbackToken: string
+): Promise<string> {
+  try {
+    const response = await fetch(
+      `${GITHUB_AUTH_SERVICE_URL}/github/${owner}/${repo}/installation-token`,
+      {
+        method: 'POST',
+        headers: {
+          Authorization: `Bearer ${GITHUB_AUTH_API_KEY}`
+        }
+      }
+    )
+    const data = await response.json()
+    if (response.ok && isTokenResponse(data)) {
+      core.info('Using Code PushUp GitHub App authentication')
+      return data.token
+    }
+    handleErrorResponse(response.status)
+  } catch (error) {
+    core.warning(
+      `Unable to contact Code PushUp authentication service: ${error}`
+    )
+  }
+  core.info('Using standard token authentication')
+  return fallbackToken
+}
+
+function isTokenResponse(res: unknown): res is TokenResponse {
+  return (
+    !!res &&
+    typeof res === 'object' &&
+    'token' in res &&
+    typeof res.token === 'string'
+  )
+}
+
+function handleErrorResponse(status: number): void {
+  switch (status) {
+    case 404:
+      core.debug('Code PushUp GitHub App not installed on this repository')
+      break
+    case 401:
+      core.warning('Code PushUp authentication service authorization failed')
+      break
+    case 500:
+      core.warning('Code PushUp authentication service temporarily unavailable')
+      break
+    default:
+      core.debug(`Code PushUp authentication service returned status ${status}`)
+  }
+}
@@ -6,6 +6,7 @@ import { simpleGit } from 'simple-git'
 import { createAnnotationsFromIssues } from './annotations'
 import { GitHubApiClient } from './api'
 import { REPORT_ARTIFACT_NAME, uploadArtifact } from './artifact'
+import { authenticate } from './auth'
 import { parseInputs } from './inputs'
 import { createOptions } from './options'
 import { parseGitRefs } from './refs'
@@ -44,7 +45,10 @@ export async function run(
   }
 
   const refs = parseGitRefs()
-  const api = new GitHubApiClient(inputs.token, refs, artifact, getOctokit)
+
+  const token = await authenticate(github.context.repo, inputs.token)
+
+  const api = new GitHubApiClient(token, refs, artifact, getOctokit)
 
   const result = await runInCI(refs, api, options, git)