Merge pull request #467 from Iamrodos/docs/187-189-auth-docs

Add GitHub Apps documentation and stdin token example
2025-12-16 20:51:11 +01:00 · 2025-12-12 06:06:30 -05:00
parent 37a0c5c123 ef990483e2
commit 934ee4b14b
2 changed files with 34 additions and 3 deletions
--- a/README.rst
+++ b/README.rst
@@ -177,6 +177,37 @@ Customise the permissions for your use case, but for a personal account full bac
 **Repository permissions**: Read access to contents, issues, metadata, pull requests, and webhooks.


+GitHub Apps
+~~~~~~~~~~~
+
+GitHub Apps are ideal for organization backups in CI/CD. Tokens are scoped to specific repositories and expire after 1 hour.
+
+**One-time setup:**
+
+1. Create a GitHub App at *Settings -> Developer Settings -> GitHub Apps -> New GitHub App*
+2. Set a name and homepage URL (can be any URL)
+3. Uncheck "Webhook > Active" (not needed for backups)
+4. Set permissions (same as fine-grained tokens above)
+5. Click "Create GitHub App", then note the **App ID** shown on the next page
+6. Under "Private keys", click "Generate a private key" and save the downloaded file
+7. Go to *Install App* in your app's settings
+8. Select the account/organization and which repositories to back up
+
+**CI/CD usage with GitHub Actions:**
+
+Store the App ID as a repository variable and the private key contents as a secret, then use ``actions/create-github-app-token``::
+
+    - uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ vars.APP_ID }}
+        private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+    - run: github-backup myorg -t ${{ steps.app-token.outputs.token }} --as-app -o ./backup --all
+
+Note: Installation tokens expire after 1 hour. For long-running backups, use a fine-grained personal access token instead.
+
+
 Prefer SSH
 ~~~~~~~~~~

@@ -364,6 +395,9 @@ Debug an error/block or incomplete backup into a temporary directory. Omit "incr

    github-backup -f $FINE_ACCESS_TOKEN -o /tmp/github-backup/ -l debug -P --all-starred --starred --watched --followers --following --issues --issue-comments --issue-events --pulls --pull-comments --pull-commits --labels --milestones --repositories --wikis --releases --assets --pull-details --gists --starred-gists $GH_USER

+Pipe a token from stdin to avoid storing it in environment variables or command history (Unix-like systems only)::
+
+    my-secret-manager get github-token | github-backup user -t file:///dev/stdin -o /backup --repositories

 Restoring from Backup
 =====================
--- a/github_backup/github_backup.py
+++ b/github_backup/github_backup.py
@@ -800,9 +800,6 @@ def _construct_request(per_page, query_args, template, auth, as_app=None, fine=F
        else:
            auth = auth.encode("ascii")
            request.add_header("Authorization", "token ".encode("ascii") + auth)
-            request.add_header(
-                "Accept", "application/vnd.github.machine-man-preview+json"
-            )

    log_url = template if "?" not in template else template.split("?")[0]
    if querystring: