docs: GitHub App setup runbook (closes #450)#456
Merged
Conversation
…o mode=app Operator runbook for switching from a classic-PAT credential to a GitHub App installation behind GitHubCredentialResolver. Covers the full path from creating the App on github.com through verifying bot identity on a smoke issue. Sections: - When to do this (bot identity, allowed_repos scoping, per-call token minting, removing single-human dependency) - Prerequisites + concept primer on PAT vs App mode + how the resolver mints + caches installation tokens - Step-by-step: create App, install on org, land App ID + Installation ID + private key on host, define credential profiles with the App as default and the PAT as named fallback, verify via 'wp datamachine-code github status', smoke-test bot identity via 'datamachine/create-github-issue', test PAT fallback selectability - Troubleshooting: github_pat_not_configured on app profile, github_app_token_request_failed (401), poisoned transient cache, openssl_sign not available - Behavioral notes on per-call token minting, expiry skew, audit trail, PAT removal timing Written from the live runbook executed on extrachill.com (Extra-Chill org, homeboy-ci app_id 3034937, installation_id 114752821). Bot identity verified end-to-end via 'datamachine/create-github-issue' returning author='homeboy-ci[bot]', author_type='Bot' on extrachill-roadie#21. Closes #450.
Contributor
Homeboy Results —
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #450.
Summary
Adds
docs/github-app-setup.md— the operator runbook for migrating from a classic-PAT credential profile to a GitHub App installation behindGitHubCredentialResolver.This is only documentation. No code changes. The
mode: 'app'code path has been live ininc/Support/GitHubCredentialResolver.phpfor some time; what was missing was a written-down procedure for actually performing the migration on a host.What the runbook covers
allowed_reposscoping, per-call token minting, removing single-human dependency.datamachine/update-settingsability so the sanitizer preserves newlines).github_credential_profileswith the App as default and the PAT demoted to a named fallback.wp datamachine-code github status.author_type: Botviagh api.github_pat_not_configuredon a wrongly-typed App profile, 401 fromPOST /app/installations/:id/access_tokens(App/install/PEM mismatch), poisoned token cache,openssl_sign()not available + thefirebase/php-jwtfallback.Written from a live execution
Every command in the runbook was actually executed on extrachill.com against the Extra-Chill org's homeboy-ci App (app_id
3034937, installation_id114752821). The smoke step was verified by filing Extra-Chill/extrachill-roadie#21 throughdatamachine/create-github-issueand confirming viagh api:{"author":"homeboy-ci[bot]","author_type":"Bot","number":21,"state":"closed"}So this runbook isn't theoretical — the procedure is exactly what worked.
Why DMC owns this doc
Per the discussion on #450:
GitHubCredentialResolver, themode: 'app'runtime, thedatamachine/update-settingssanitizer forgithub_app_*fields, andwp datamachine-code github statusall live in this plugin. Putting the runbook here means any DMC consumer (extrachill-roadie, future Studio integrations, CI tooling) has one canonical migration story to point at.Out of scope (deferred / pre-existing follow-ups)
extrachill-users, not here.github_pat/github_auth_mode/github_app_*settings still exist alongsidegithub_credential_profiles. They coexist deliberately for back-compat; collapsing them is a separate cleanup.credential_selectorplumbing through every issue/PR/comment ability. Some abilities accept the selector explicitly today, others rely on the default profile. Out of scope for this runbook; tracked separately if it needs filling in.Notes for reviewer
docs: ...)./root/.secrets/<app-slug>.private-key.pem) and concrete numeric IDs (Extra-Chill's) as examples — those are documented as examples, not hardcoded. The procedure is org-neutral.