Skip to content

Replace PAT auth with GitHub App for production servers#39

Merged
jonathonbyrdziak merged 1 commit intomasterfrom
feature/github-app-auth
Mar 20, 2026
Merged

Replace PAT auth with GitHub App for production servers#39
jonathonbyrdziak merged 1 commit intomasterfrom
feature/github-app-auth

Conversation

@jonathonbyrdziak
Copy link
Copy Markdown
Contributor

@jonathonbyrdziak jonathonbyrdziak commented Mar 20, 2026

Summary

  • Replaces fine-grained PAT flow with GitHub App manifest flow for production/staging server authentication
  • App belongs to the org (not a person) — access survives team member departures
  • CLI generates a pre-configured manifest URL with all permissions baked in — user just clicks and creates
  • New GitHubApp helper handles JWT signing, installation token generation, and credential refresh

Flow

  1. protocol init → production → enter private repo URL → access fails
  2. CLI generates manifest URL: https://github.com/organizations/{org}/settings/apps/new?manifest=...
  3. User clicks → app is pre-configured (Contents: read, Variables: read, Metadata: read)
  4. User generates private key, installs app on repo
  5. Pastes App ID + private key path back into CLI
  6. CLI verifies: JWT → installation lookup → token generation → repo access test
  7. Credentials stored in ~/.protocol/.node/ (github-app.json + github-app.pem, 0600)

Files

  • New: src/Helpers/GitHubApp.php — JWT, installation tokens, credential management
  • Modified: src/Commands/ProtocolInit.phpflowGitAuth uses GitHub App instead of PAT

Test plan

  • Run protocol init → production → private repo URL the server can't access
  • Verify manifest URL loads GitHub App creation form with correct permissions
  • Create app, generate private key, install on repo
  • Paste App ID + key path — verify JWT, installation lookup, and access test succeed
  • Confirm credentials stored at ~/.protocol/.node/github-app.json and .pem
  • Re-run init with existing credentials — verify it refreshes without re-prompting

🤖 Generated with Claude Code

@jonathonbyrdziak @claude
Replace PAT auth with GitHub App manifest flow for production init
df9dcac 
GitHub Apps belong to the org, not an individual. When a developer
leaves, access stays intact — no more production outages from
revoked personal tokens.

Flow: CLI generates a pre-configured manifest URL → user clicks to
create app → installs on repo → provides App ID + private key →
CLI generates JWT, verifies installation, and configures git credentials.

Adds GitHubApp helper with JWT signing, installation token generation,
and credential management. Tokens auto-expire (1 hour) and can be
refreshed via GitHubApp::refreshGitCredentials().

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jonathonbyrdziak jonathonbyrdziak merged commit 08f125d into master Mar 20, 2026
6 of 8 checks passed
@jonathonbyrdziak jonathonbyrdziak deleted the feature/github-app-auth branch March 20, 2026 20:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonathonbyrdziak