feat: update github app auth to support client id and app id

Author: RaphCodec

airflow-core/src/airflow/api_fastapi/core_api/openapi/_private_ui.yaml

@@ -2564,8 +2564,6 @@ components:
       - text
       - href
       title: ExtraMenuItem
-      description: Define a menu item that can be added to the menu by auth managers
-        or plugins.
     GanttResponse:
       properties:
         dag_id:

providers/git/src/airflow/providers/git/hooks/git.py

@@ -49,7 +49,7 @@ class GitHook(BaseHook):
     * ``ssh_config_file`` — path to a custom SSH config file.
     * ``host_proxy_cmd`` — SSH ProxyCommand string (e.g. for bastion/jump hosts).
     * ``ssh_port`` — non-default SSH port.
-    * ``github_app_id`` — GitHub App ID used for GitHub App authentication. Requires the GitHub App
+    * ``github_client_id`` — GitHub Client ID (or App ID) used for GitHub App authentication. Requires the GitHub App
       private key to be provided as a PEM-encoded key via either ``private_key`` (inline) or
       ``key_file`` (path to key file).
     * ``github_installation_id`` — GitHub App installation ID used for GitHub App authentication.
@@ -80,7 +80,7 @@ def get_ui_field_behaviour(cls) -> dict[str, Any]:
                         "ssh_config_file": "",
                         "host_proxy_cmd": "",
                         "ssh_port": "",
-                        "github_app_id": "",
+                        "github_client_id": "",
                         "github_installation_id": "",
                     }
                 )
@@ -111,16 +111,16 @@ def __init__(
         self.ssh_port: int | None = int(extra["ssh_port"]) if extra.get("ssh_port") else None
 
         # GitHub App Auth Options
-        raw_github_app_id = extra.get("github_app_id")
-        if raw_github_app_id is not None:
+        raw_github_client_id = extra.get("github_client_id")
+        if raw_github_client_id is not None:
             try:
-                self.github_app_id: int | None = int(raw_github_app_id)
-            except (TypeError, ValueError) as exc:
-                raise ValueError(
-                    f"Invalid 'github_app_id' value {raw_github_app_id!r}. It must be an integer."
-                ) from exc
+                # Accept either integer or string IDs (GitHubIntegration accepts both)
+                self.github_client_id: int | str | None = int(raw_github_client_id)
+            except (TypeError, ValueError):
+                # Keep as string when it is not an integer
+                self.github_client_id = str(raw_github_client_id)
         else:
-            self.github_app_id = None
+            self.github_client_id = None
 
         raw_github_installation_id = extra.get("github_installation_id")
         if raw_github_installation_id is not None:
@@ -136,13 +136,13 @@ def __init__(
 
         if self.key_file and self.private_key:
             raise AirflowException("Both 'key_file' and 'private_key' cannot be provided at the same time")
-        if (self.github_app_id and not self.github_installation_id) or (
-            not self.github_app_id and self.github_installation_id
+        if (self.github_client_id is not None and self.github_installation_id is None) or (
+            self.github_client_id is None and self.github_installation_id is not None
         ):
             raise ValueError(
-                "Both 'github_app_id' and 'github_installation_id' must be provided to use GitHub App Authentication"
+                "Both 'github_client_id' and 'github_installation_id' must be provided to use GitHub App Authentication"
             )
-        if self.github_app_id and self.github_installation_id:
+        if self.github_client_id is not None and self.github_installation_id is not None:
             if not self.key_file and not self.private_key:
                 raise ValueError("Missing inline private_key or key_file for GitHub App Auth")
             if self.key_file and not self.private_key:
@@ -200,19 +200,18 @@ def _build_ssh_command(self, key_path: str | None = None) -> str:
 
     def _get_github_app_token(self):
         try:
-            from github import Auth as GithubAuth, Github as GithubClient
+            from github import GithubIntegration
         except ImportError as exc:
             raise ImportError(
                 "The PyGithub library is required for GitHub App authentication. Please install it with 'pip install apache-airflow-providers-git[github]'"
             ) from exc
 
-        github_auth = GithubAuth.AppAuth(
-            app_id=self.github_app_id, private_key=self.github_app_private_key
-        ).get_installation_auth(installation_id=self.github_installation_id)
+        integration = GithubIntegration(
+            integration_id=self.github_client_id, private_key=self.github_app_private_key
+        )
+        access_token = integration.get_access_token(installation_id=self.github_installation_id).token
 
-        # Client is needed to generate the token even though we don't use the client directly
-        GithubClient(auth=github_auth)
-        return "x-access-token", github_auth.token
+        return "x-access-token", access_token
 
     def _process_git_auth_url(self):
         if not isinstance(self.repo_url, str):

providers/git/tests/unit/git/hooks/test_git.py

@@ -151,7 +151,7 @@ def setup_connections(self, create_connection_without_db):
                 host=AIRFLOW_HTTPS_URL,
                 conn_type="git",
                 extra={
-                    "github_app_id": "12345",
+                    "github_client_id": "12345",
                     "github_installation_id": "67890",
                     "private_key": "inline_pem_key",
                 },
@@ -162,7 +162,7 @@ def setup_connections(self, create_connection_without_db):
                 conn_id=CONN_APP_ONLY_APP_ID,
                 host=AIRFLOW_HTTPS_URL,
                 conn_type="git",
-                extra={"github_app_id": "12345"},
+                extra={"github_client_id": "12345"},
             )
         )
         create_connection_without_db(
@@ -178,7 +178,7 @@ def setup_connections(self, create_connection_without_db):
                 conn_id=CONN_APP_NO_KEY,
                 host=AIRFLOW_HTTPS_URL,
                 conn_type="git",
-                extra={"github_app_id": "12345", "github_installation_id": "67890"},
+                extra={"github_client_id": "12345", "github_installation_id": "67890"},
             )
         )
         create_connection_without_db(
@@ -187,7 +187,7 @@ def setup_connections(self, create_connection_without_db):
                 host=AIRFLOW_HTTPS_URL,
                 conn_type="git",
                 extra={
-                    "github_app_id": "not_an_int",
+                    "github_client_id": "not_an_int",
                     "github_installation_id": "67890",
                     "private_key": "inline_pem_key",
                 },
@@ -199,7 +199,7 @@ def setup_connections(self, create_connection_without_db):
                 host=AIRFLOW_HTTPS_URL,
                 conn_type="git",
                 extra={
-                    "github_app_id": "12345",
+                    "github_client_id": "12345",
                     "github_installation_id": "not_an_int",
                     "private_key": "inline_pem_key",
                 },
@@ -442,34 +442,34 @@ def test_passphrase_askpass_cleaned_up(self, create_connection_without_db):
 
     def test_only_app_id_without_installation_id_raises(self):
         with pytest.raises(
-            AirflowException, match="Both 'github_app_id' and 'github_installation_id' must be provided"
+            ValueError, match="Both 'github_client_id' and 'github_installation_id' must be provided"
         ):
             GitHook(git_conn_id=CONN_APP_ONLY_APP_ID)
 
     def test_only_installation_id_without_app_id_raises(self):
         with pytest.raises(
-            AirflowException,
-            match="Both 'github_app_id' and 'github_installation_id' must be provided",
+            ValueError,
+            match="Both 'github_client_id' and 'github_installation_id' must be provided",
         ):
             GitHook(git_conn_id=CONN_APP_ONLY_INSTALLATION_ID)
 
     def test_app_id_and_installation_id_without_key_raises(self):
         with pytest.raises(
-            AirflowException,
+            ValueError,
             match="Missing inline private_key or key_file for GitHub App Auth",
         ):
             GitHook(git_conn_id=CONN_APP_NO_KEY)
 
     def test_invalid_github_app_id_raises(self):
         with pytest.raises(
-            AirflowException,
-            match="Invalid 'github_app_id' value",
+            ValueError,
+            match="Invalid 'github_client_id' value",
         ):
             GitHook(git_conn_id=CONN_APP_INVALID_APP_ID)
 
     def test_invalid_github_installation_id_raises(self):
         with pytest.raises(
-            AirflowException,
+            ValueError,
             match="Invalid 'github_installation_id' value",
         ):
             GitHook(git_conn_id=CONN_APP_INVALID_INSTALLATION_ID)
@@ -483,7 +483,7 @@ def test_app_auth_with_key_file_reads_file(self, create_connection_without_db, t
                 host=AIRFLOW_HTTPS_URL,
                 conn_type="git",
                 extra={
-                    "github_app_id": "12345",
+                    "github_client_id": "12345",
                     "github_installation_id": "67890",
                     "key_file": str(key_file),
                 },
@@ -505,13 +505,13 @@ def test_app_auth_with_missing_key_file_raises(self, create_connection_without_d
                 host=AIRFLOW_HTTPS_URL,
                 conn_type="git",
                 extra={
-                    "github_app_id": "12345",
+                    "github_client_id": "12345",
                     "github_installation_id": "67890",
                     "key_file": "/nonexistent/path/key.pem",
                 },
             )
         )
-        with pytest.raises(AirflowException, match="Failed to read GitHub App private key file"):
+        with pytest.raises(OSError, match="Failed to read GitHub App private key file"):
             GitHook(git_conn_id="git_app_missing_key_file")
 
     def test_app_auth_success_injects_token_into_https_url(self):
@@ -535,7 +535,7 @@ def test_app_auth_success_stores_app_id_and_installation_id(self):
                 lambda self: ("x-access-token", mock_token),
             )
             hook = GitHook(git_conn_id=CONN_APP_INLINE_KEY)
-            assert hook.github_app_id == 12345
+            assert hook.github_client_id == 12345
             assert hook.github_installation_id == 67890
 
     @pytest.mark.parametrize(
@@ -554,7 +554,7 @@ def test_app_id_and_installation_id_parsed_as_int(
                 host=AIRFLOW_HTTPS_URL,
                 conn_type="git",
                 extra={
-                    "github_app_id": app_id,
+                    "github_client_id": app_id,
                     "github_installation_id": installation_id,
                     "private_key": "inline_pem_key",
                 },
@@ -566,5 +566,5 @@ def test_app_id_and_installation_id_parsed_as_int(
                 lambda self: ("x-access-token", "token"),
             )
             hook = GitHook(git_conn_id="git_app_int_check")
-            assert isinstance(hook.github_app_id, int)
+            assert isinstance(hook.github_client_id, int)
             assert isinstance(hook.github_installation_id, int)