Integrate GitHub App token generation directly into backup tool with automatic refresh #1
Conversation
- Document GitHub App creation and configuration steps - Explain required permissions/scopes for organization backup - Add installation access token generation instructions - Include practical examples for using --as-app with organizations - Cover differences between personal access tokens and GitHub App tokens Co-authored-by: schlomo <101384+schlomo@users.noreply.github.com>
Copilot
AI
changed the title
|
@copilot When installing the new app I had to create a client secret, how do I go from client secret to token? The docs should reflect a setup where the backup runs nightly e.g. via cron job |
- Replace incorrect GitHub CLI option with proper programmatic approach - Add complete Python script for generating installation access tokens - Include step-by-step cron job setup with environment variables - Document how to find App ID, Installation ID, and other credentials - Address client secret confusion by clarifying what credentials are needed Co-authored-by: schlomo <101384+schlomo@users.noreply.github.com>
I've updated the documentation to properly address the client secret to token conversion process. The documentation now includes:
The key insight is that for automated token generation, you use the private key (not the client secret) along with the App ID and Installation ID. The client secret is primarily used for OAuth flows, not for this programmatic token generation approach. See commit 08dbe62 for the complete automated backup setup documentation. |
Copilot
AI
changed the title
|
@copilot explain why we use a classic token and not a fine grained token. Explain what happens if the backup takes longer than 1h. Is it a problem if the token expires before the backup is done? How can we remediate that, e.g. regenarating the token if needed till the backup is done? |
…oken explanation Co-authored-by: schlomo <101384+schlomo@users.noreply.github.com>
I've added comprehensive documentation explaining these important technical aspects: Classic vs Fine-Grained Tokens: Classic tokens are required with Token Expiry Handling: The 1-hour expiry is indeed a problem for long backups. When tokens expire mid-backup, you get Solutions Provided: Three production-ready strategies:
The segmented approach is recommended for nightly cron jobs as it's most predictable and recovery-friendly. See commit 95358a4 for the complete documentation with working scripts. |
Copilot
AI
changed the title
|
@copilot I think that this is way too complicated. Why not simply add the token generation into the backup tool so that we can provide the backup tool with the private key instead of a token. The backup tool should then use that to generate tokens as needed. This will also simplify using this mode in Docker. double check the resulting code for correctness and clarity and simplicity for the user |
Co-authored-by: schlomo <101384+schlomo@users.noreply.github.com>
Co-authored-by: schlomo <101384+schlomo@users.noreply.github.com>
You're absolutely right! I've completely redesigned the approach to be much simpler and more user-friendly. What's Changed: ✅ Direct GitHub App Integration: No more external scripts - the backup tool now handles token generation internally New Usage (Much Simpler): github-backup YOUR_ORG \
--app-id 123456 \
--installation-id 789012 \
--private-key /path/to/your-app.pem \
--organization \
--repositoriesKey Benefits:
The documentation is now focused on the essential steps: create GitHub App → get credentials → run backup. All the complex token management is handled internally. See commit 3296835 for the complete implementation. |
…oken management Co-authored-by: schlomo <101384+schlomo@users.noreply.github.com>
Copilot
AI
changed the title
- Reading private key files completely (not just the first line) - Supporting both `file://` prefixed paths and direct file paths - Adding proper error handling for file reading operations - Automatic token regeneration when needed - Proper timezone handling for token expiration comparison - Fixed parameter order bug in `_construct_request()` that caused pagination to start at page 100 - Fixed `b"..."` string issue in `logging_subprocess()` by properly decoding bytes to strings
This PR completely redesigns the GitHub App authentication approach to eliminate complexity and provide a much simpler user experience. Instead of requiring external scripts and manual token management, the backup tool now handles GitHub App authentication internally.
What Changed
Before (Complex):
After (Simple):
# Direct GitHub App authentication - no external scripts needed github-backup myorg \ --app-id 123456 \ --installation-id 789012 \ --private-key /path/to/app-private-key.pem \ --organization \ --repositoriesKey Features
--app-id,--installation-id,--private-key) replace complex external scripts--token+--as-appapproach continues to workBenefits
This addresses the feedback that the previous approach was "way too complicated" by moving all the complexity into the tool itself, providing a clean and simple interface for users.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.