Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MintIAT ¶
MintIAT returns a current installation access token as a plain string (e.g. "ghs_...") suitable for use as a bearer credential in subprocess env (GH_TOKEN), `gh auth setup-git`, or any other caller that needs the raw token rather than an authenticated http.Client.
The returned token is valid for up to 1 hour from GitHub's perspective. Callers that need long-lived authentication should use NewClient instead; callers that need to refresh a one-shot string token should call MintIAT again — the underlying ghinstallation/v2 transport caches across calls.
Returns an error if the config is invalid or the IAT exchange fails.
func NewClient ¶
NewClient returns an *http.Client whose RoundTripper authenticates every outgoing request as the given App installation using a cached IAT.
The first call mints a JWT, exchanges it for an IAT, and caches the IAT for ~50 minutes; subsequent calls reuse the cached IAT and refresh it transparently before expiry.
Returns an error if the config is invalid (both PEM and PEMPath set, or neither set; AppID or InstallationID zero) or if the PEM cannot be parsed.
Types ¶
type Config ¶
type Config struct {
AppID int64
InstallationID int64
PEM []byte // PEM content; mutually exclusive with PEMPath
PEMPath string // path to PEM file; mutually exclusive with PEM
BaseURL string // API base URL (defaults to https://api.github.com); used for testing with httptest
}
Config carries the inputs needed to authenticate as a GitHub App installation.
AppID and InstallationID are public values (visible in the App settings page and the installation URL respectively) and are safe to commit. PEM (or PEMPath) is the long-lived secret and MUST come from a Kubernetes Secret mount, never from a checked-in file.
Exactly one of PEM or PEMPath must be non-empty; passing both is a configuration error.
Source Files