From 3a513b6646e37e1c40ed066956b66079261e1b2e Mon Sep 17 00:00:00 2001 From: Rodos Date: Fri, 12 Dec 2025 09:55:13 +1100 Subject: [PATCH 1/2] docs: add stdin token example to README Add example showing how to pipe a token from stdin using file:///dev/stdin to avoid storing tokens in environment variables or command history. Closes #187 --- README.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.rst b/README.rst index 9fd35fd..55e21c8 100644 --- a/README.rst +++ b/README.rst @@ -359,6 +359,9 @@ Debug an error/block or incomplete backup into a temporary directory. Omit "incr github-backup -f $FINE_ACCESS_TOKEN -o /tmp/github-backup/ -l debug -P --all-starred --starred --watched --followers --following --issues --issue-comments --issue-events --pulls --pull-comments --pull-commits --labels --milestones --repositories --wikis --releases --assets --pull-details --gists --starred-gists $GH_USER +Pipe a token from stdin to avoid storing it in environment variables or command history (Unix-like systems only):: + + my-secret-manager get github-token | github-backup user -t file:///dev/stdin -o /backup --repositories Development From ef990483e2bcc76257776b02fbcf239943d09897 Mon Sep 17 00:00:00 2001 From: Rodos Date: Fri, 12 Dec 2025 10:25:49 +1100 Subject: [PATCH 2/2] Add GitHub Apps documentation and remove outdated header - Add GitHub Apps authentication section with setup steps and CI/CD workflow example using actions/create-github-app-token - Remove outdated machine-man-preview header (graduated 2020) Closes #189 --- README.rst | 31 +++++++++++++++++++++++++++++++ github_backup/github_backup.py | 3 --- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/README.rst b/README.rst index 55e21c8..272b606 100644 --- a/README.rst +++ b/README.rst @@ -174,6 +174,37 @@ Customise the permissions for your use case, but for a personal account full bac **Repository permissions**: Read access to contents, issues, metadata, pull requests, and webhooks. +GitHub Apps +~~~~~~~~~~~ + +GitHub Apps are ideal for organization backups in CI/CD. Tokens are scoped to specific repositories and expire after 1 hour. + +**One-time setup:** + +1. Create a GitHub App at *Settings -> Developer Settings -> GitHub Apps -> New GitHub App* +2. Set a name and homepage URL (can be any URL) +3. Uncheck "Webhook > Active" (not needed for backups) +4. Set permissions (same as fine-grained tokens above) +5. Click "Create GitHub App", then note the **App ID** shown on the next page +6. Under "Private keys", click "Generate a private key" and save the downloaded file +7. Go to *Install App* in your app's settings +8. Select the account/organization and which repositories to back up + +**CI/CD usage with GitHub Actions:** + +Store the App ID as a repository variable and the private key contents as a secret, then use ``actions/create-github-app-token``:: + + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + + - run: github-backup myorg -t ${{ steps.app-token.outputs.token }} --as-app -o ./backup --all + +Note: Installation tokens expire after 1 hour. For long-running backups, use a fine-grained personal access token instead. + + Prefer SSH ~~~~~~~~~~ diff --git a/github_backup/github_backup.py b/github_backup/github_backup.py index 0282809..21daa20 100644 --- a/github_backup/github_backup.py +++ b/github_backup/github_backup.py @@ -796,9 +796,6 @@ def _construct_request( else: auth = auth.encode("ascii") request.add_header("Authorization", "token ".encode("ascii") + auth) - request.add_header( - "Accept", "application/vnd.github.machine-man-preview+json" - ) log_url = template if "?" not in template else template.split("?")[0] if querystring: