[WIP] Make githubapp private key storable in other credential sources

[Klaas-]

SUMMARY

I am not yet sure if this is a good idea :) But essentially this is a follow up to the github app PR, I would like to be able to use a azure keyvault (or other secret manager) secret to store the RSA key for the github app.

I am not really too familiar with the UI/API, while I tested it and it works I am not sure it's a good idea to remove the restrictions :) So I am looking for feedback on this change.

ISSUE TYPE

• New or Enhanced Feature

COMPONENT NAME

• API
• UI

ASCENDER VERSION

25.3.4

ADDITIONAL INFORMATION

[Copilot]

Pull request overview

This PR expands credential input sourcing so that external credentials (e.g., Azure Key Vault) can themselves have fields populated from other credential sources, enabling secret-manager “chaining” (useful for storing GitHub App private keys or external-credential auth inputs in a separate secret store).

Changes:

• UI: Removes the special-case rendering for credentialType.kind === 'external', so external credential fields now go through the standard CredentialPluginField flow.
• API/Model: Allows Credential.get_input() to resolve dynamic input sources for all credential kinds (including external), and permits external credentials to be input-source targets.
• API/Model: Resolves dynamic inputs on the source external credential when executing an input-source lookup, enabling multi-hop external credential resolution.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
awx/ui/src/screens/Credential/shared/CredentialFormFields/CredentialField.js	Removes external-only field rendering to allow plugin-based sourcing UI for external credential fields.
awx/main/models/credential/__init__.py	Enables external→external input sourcing and resolves dynamic inputs on source credentials during backend lookups.

Comments suppressed due to low confidence (1)

awx/ui/src/screens/Credential/shared/CredentialFormFields/CredentialField.js:226

• Removing the special-case UI for credentialType.kind === 'external' means external credentials will now render inside CredentialPluginField, allowing form values like inputs.<field> to become plugin objects ({credential, inputs}). ExternalTestModal currently builds the /credentials/:id/test/ payload by copying credentialFormValues.inputs[field.id] verbatim, so it will send these objects for string fields and fail schema validation. The test modal (and/or test endpoint) needs to filter/serialize plugin-sourced fields similarly to save, or otherwise support resolving dynamic inputs when testing external credentials.

  if (credentialType.kind === 'ssh' && fieldOptions.id === 'become_method') {
    return (
      <BecomeMethodField fieldOptions={fieldOptions} isRequired={isRequired} />
    );
  }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cigamit]

I see no issue with removing the constraints as long as we eliminate the recursion and fix the tests.

[Klaas-]

I have added a few tests and fixed one test that I broke with this change