feat(config): add --app-privatekey (in-memory PEM) flag (CXP-585)#175
feat(config): add --app-privatekey (in-memory PEM) flag (CXP-585)#175c1-squire-dev[bot] wants to merge 1 commit into
Conversation
Add a new `--app-privatekey` flag that accepts the raw PEM contents of the GitHub App private key as a string, for in-memory / secret-based credentials. This complements the existing `--app-privatekey-path` (read from disk). When both are set, `--app-privatekey` takes precedence; otherwise the connector falls back to `--app-privatekey-path`. Providing either one satisfies the "app private key required" check, which is now enforced in the GitHub App constructor (a framework-level constraint can't be scoped to a single auth-method group). The new flag is marked secret and the key is never logged. - pkg/config/config.go: add appPrivateKey StringField (secret), drop the individual required rule on appPrivateKeyPath, add both to the GitHub App field group. Regenerated conf.gen.go and config_schema.json. - pkg/connector/connector.go: add appPrivateKeyPEM() precedence helper and use it in newWithGithubApp for the JWT token and the JWT refresher. - README.md / docs/connector.mdx: document the new flag. - pkg/connector/app_privatekey_test.go: cover the precedence/fallback/error cases. Co-authored-by: c1-squire-dev[bot] <c1-squire-dev[bot]@users.noreply.github.com>
Connector PR Review: feat(config): add --app-privatekey (in-memory PEM) flag (CXP-585)Blocking Issues: 0 | Suggestions: 0 | Threads Resolved: 0 Review SummaryThis PR adds a new Security IssuesNone found. Correctness IssuesNone found. SuggestionsNone. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
laurenleach
left a comment
laurenleach
left a comment
There was a problem hiding this comment.
The "at least one" requirement is enforced in the connector's GitHub App constructor rather than as a framework constraint, because field-relationship constraints are evaluated globally across auth methods and would otherwise break the personal-access-token auth path.
we filter out fields not in the field group, so we should be able to use the field constraint of "at least one" for app-privatekey-path/app-privatekey
3 participants
Summary
Implements CXP-585: add a new
--app-privatekeyflag tobaton-githubthat accepts the raw PEM contents of the GitHub App private key as a string, for in-memory / secret-based credentials.Today the connector can only load a GitHub App private key from disk via
--app-privatekey-path. This change is additive and does not change the existing path-based behavior.Behavior
--app-privatekey(env$BATON_APP_PRIVATEKEY), marked secret.--app-privatekeywins; otherwise the connector falls back to--app-privatekey-path.loadPrivateKeyFromStringpath). The key is never logged.Implementation notes
pkg/config/config.go: addedappPrivateKeyStringField(secret); removed the individualWithRequired(true)onappPrivateKeyPathand added both fields to the GitHub App field group. The "at least one" requirement is enforced in the connector's GitHub App constructor rather than as a framework constraint, because field-relationship constraints are evaluated globally across auth methods and would otherwise break the personal-access-token auth path.pkg/config/conf.gen.go(viago generate ./pkg/config) andconfig_schema.json(viaconnector config) — not hand-edited.pkg/connector/connector.go: addedappPrivateKeyPEM()precedence helper, used innewWithGithubAppfor both the initial JWT and the JWT refresher.README.mdflag list +docs/connector.mdxKubernetes secret example.pkg/connector/app_privatekey_test.gocovering precedence, single-source, fallback, and neither-set cases.Verification
go build ./...✅go vet ./...✅go test ./...✅ (newTestAppPrivateKeyPEMpasses)golangci-lint run ./pkg/...— only the pre-existingG115finding inrepository.go(untouched by this PR).🤖 Generated with Claude Code
🏰 Squire environment: merry-frog-90199
Task: a3d48baf-d5cb-470a-a99e-3ac377ba4d5e