🩹 [Patch]: Refactor: Split JWT Creation and Signing Logic

[MariusStorhaug]

Describe the change

Description

Currently, JWT creation and signing logic is tightly coupled in the internal function Get-GitHubAppJSONWebToken. To support flexible signing methods (local signing, Azure Key Vault signing, etc.), the logic needs to be split clearly into two distinct steps:

1. JWT creation: Prepare the header and payload to form an unsigned JWT.
2. JWT signing: Pass the unsigned JWT to a separate signing function or method, depending on the desired signing provider.

Goals

• Facilitate adding multiple JWT signing methods.
• Improve maintainability and clarity of JWT logic.
• Enable seamless integration of Azure Key Vault signing.

Proposed Implementation Steps

• Create a new internal function New-GitHubAppJWT to handle JWT creation (header + payload, without signing).
• Extract the signing logic into separate, distinct functions (e.g., Sign-GitHubJWTLocally).
• Refactor existing functions to use the new separated logic.

Benefits

• Easier addition of alternative signing methods.
• Improved modularity and readability.
• Clear separation of responsibilities.

Acceptance Criteria

• JWT creation logic is isolated from signing logic.
• Multiple signing methods can be easily added without altering JWT creation.
• Existing functionality remains intact and passes all tests.

Additional Context

This change is a prerequisite for supporting Azure Key Vault-backed JWT signing.

• 🚀[Feature]: Support KeyVault-based signing for GitHub App JWTs #470