Skip to content

feat: add GitHub App Authentication as an option for DagBundles#64422

Open
RaphCodec wants to merge 22 commits intoapache:mainfrom
RaphCodec:feat/git-bundles-github-app-auth
Open

feat: add GitHub App Authentication as an option for DagBundles#64422
RaphCodec wants to merge 22 commits intoapache:mainfrom
RaphCodec:feat/git-bundles-github-app-auth

Conversation

@RaphCodec
Copy link
Copy Markdown

@RaphCodec RaphCodec commented Mar 29, 2026
edited
Loading

Purpose

Adding GitHub App Authentication to the Git Provider. This feature is intended to be a security benefit for those who want to use GitHub Dag Bundles in Airflow 3, but for whatever reason cannot use a SSH deploy key to authenticate to GitHub and would prefer not to use their own PAT.

In case of an existing issue, reference it using one of the following:

Was generative AI tooling used to co-author this PR?
  • Yes - Claude Sonnet 4.6
  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.

@boring-cyborg
Copy link
Copy Markdown

boring-cyborg Bot commented Mar 29, 2026

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst)
Here are some useful points:

  • Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
  • In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
  • Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
  • Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
  • Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
  • Be sure to read the Airflow Coding style.
  • Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
    Apache Airflow is a community-driven project and together we are making it better 🚀.
    In case of doubts contact the developers at:
    Mailing List: [email protected]
    Slack: https://s.apache.org/airflow-slack

@RaphCodec RaphCodec marked this pull request as draft March 29, 2026 21:22
@RaphCodec RaphCodec force-pushed the feat/git-bundles-github-app-auth branch from 0639a51 to d080795 Compare March 29, 2026 22:53
@RaphCodec RaphCodec marked this pull request as ready for review March 29, 2026 22:55
@potiuk potiuk marked this pull request as draft April 1, 2026 19:04
@potiuk
Copy link
Copy Markdown
Member

potiuk commented Apr 1, 2026
edited
Loading

@RaphCodec Converting to draft — this PR doesn't yet meet our Pull Request quality criteria.

  • Merge conflicts: This PR has merge conflicts with the main branch. Your branch is 90 commits behind main. Please rebase your branch (git fetch origin && git rebase origin/main), resolve the conflicts, and push again. See contributing quick start.

Note: Your branch is 90 commits behind main. Please rebase and push again to get up-to-date CI results.

See the linked criteria for how to fix each item, then mark the PR "Ready for review". This is not a rejection — just an invitation to bring the PR up to standard. No rush.

Note: This comment was drafted by an AI-assisted triage tool and may contain mistakes. Once you have addressed the points above, an Apache Airflow maintainer — a real person — will take the next look at your PR. We use this two-stage triage process so that our maintainers' limited time is spent where it matters most: the conversation with you.

@kaxil kaxil requested a review from Copilot April 2, 2026 00:42
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds GitHub App-based authentication support to the Git provider’s GitHook so Git-backed DagBundles can authenticate to GitHub without SSH deploy keys (using an installation access token instead).

Changes:

  • Extend GitHook connection extras/UI placeholders to accept GitHub App identifiers and generate an installation token for HTTPS cloning.
  • Add an optional dependency extra for GitHub App support (pygithub / PyGithub) in the git provider.
  • Update the workspace lockfile to include the new optional extra and reflect a refreshed dependency resolution.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 6 comments.

File Description
providers/git/src/airflow/providers/git/hooks/git.py Adds GitHub App auth fields and token generation logic to rewrite HTTPS repo URLs with an installation token.
providers/git/pyproject.toml Introduces an optional dependency extra for GitHub App support.
uv.lock Updates the lockfile to include the new optional extra and updated resolved packages.

Comment thread providers/git/src/airflow/providers/git/hooks/git.py Outdated
Comment thread providers/git/src/airflow/providers/git/hooks/git.py Outdated
Comment thread providers/git/src/airflow/providers/git/hooks/git.py Outdated
Comment thread providers/git/src/airflow/providers/git/hooks/git.py Outdated
Comment thread providers/git/src/airflow/providers/git/hooks/git.py
Comment thread providers/git/pyproject.toml Outdated
@RaphCodec RaphCodec force-pushed the feat/git-bundles-github-app-auth branch 5 times, most recently from 1abb9fb to 23cf74d Compare April 19, 2026 15:09
@RaphCodec RaphCodec requested a review from Copilot April 19, 2026 15:11
Copilot AI reviewed Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

Comment thread providers/git/src/airflow/providers/git/hooks/git.py Outdated
Comment thread providers/git/tests/unit/git/hooks/test_git.py Outdated
@RaphCodec RaphCodec force-pushed the feat/git-bundles-github-app-auth branch 3 times, most recently from 687fb39 to 533e92f Compare April 19, 2026 16:32
@RaphCodec
Copy link
Copy Markdown
Author

RaphCodec commented Apr 19, 2026

Thanks for the feedback. I went over the code more thourghly, improved it and updated the branch. I will try to update the branch at least once a day to prevent merge conflicts.

@RaphCodec RaphCodec marked this pull request as ready for review April 19, 2026 16:40
@RaphCodec RaphCodec force-pushed the feat/git-bundles-github-app-auth branch 4 times, most recently from 27884e7 to a2d5a9a Compare April 24, 2026 10:20
@potiuk potiuk marked this pull request as draft April 27, 2026 23:20
@potiuk
Copy link
Copy Markdown
Member

potiuk commented Apr 27, 2026
edited
Loading

@RaphCodec Converting to draft — this PR doesn't yet meet our Pull Request quality criteria.

  • Merge conflicts: This PR has merge conflicts with main. GitHub's "Update branch" button cannot resolve them — please rebase locally and resolve the conflicts manually: 
    git fetch upstream main
git rebase upstream/main
# resolve conflicts, then:
git push --force-with-lease
  • Failing CI checks: Failing: Build info. This is most likely a downstream effect of the merge conflicts above — once the rebase is clean, please re-trigger CI by pushing the rebased branch.

See the linked criteria for how to fix each item, then mark the PR "Ready for review". This is not a rejection — just an invitation to bring the PR up to standard. No rush.

Note: This comment was drafted by an AI-assisted triage tool and may contain mistakes. Once you have addressed the points above, an Apache Airflow maintainer — a real person — will take the next look at your PR. We use this two-stage triage process so that our maintainers' limited time is spent where it matters most: the conversation with you.

@RaphCodec RaphCodec force-pushed the feat/git-bundles-github-app-auth branch 4 times, most recently from d6d8755 to e432d3f Compare May 8, 2026 10:18
RaphCodec and others added 22 commits May 9, 2026 07:56
@RaphCodec
add GitHub App Authentication as an option for DagBundles
b7aae44
@RaphCodec
chore: change PyGithub package name to canonical package name casing
7f02b65 
Co-authored-by: Copilot <[email protected]>
@RaphCodec
Update providers/git/src/airflow/providers/git/hooks/git.py
6feb4b5 
copilot suggestion

Co-authored-by: Copilot <[email protected]>
@RaphCodec
update docstring
e9dfded 
Co-authored-by: Copilot <[email protected]>
@RaphCodec
add error handling to validate the data types for github app id and i…
6a7a403 
…nstallation id

Co-authored-by: Copilot <[email protected]>
@RaphCodec
chore: add error handling in case PyGithub library is missing when im…
8bcd153 
…ported
@RaphCodec
test: update git hook tests to include tests for github app authentic…
0857a0e 
…ation
@RaphCodec
chore: clarifying Github Client comment
b4ae5c9
@RaphCodec
chore: ran prek hooks to format and lint
69c03d2
@RaphCodec
Fix: assert hook.private_key outside pytest.raises in test_app_auth_w…
b901102 
…ith_key_file_reads_file

Co-authored-by: Copilot <[email protected]>
@RaphCodec
fix: correct security issue so that the github app private key is not…
9102dc7 
… treated as an ssh key by mistake
@RaphCodec
chore: formatted, linted and updated airflow exception with more spec…
5057d1c 
…ific errors
@RaphCodec
chore: uv lock updated automaitcally from prek hooks
3e64c53
@RaphCodec
update uv lock
082f177
@RaphCodec
update uv lock to reflect main branch changes
097d5f9
@RaphCodec
update uv lock
f84e0ea
@RaphCodec
feat: update github app auth to support client id and app id
80e7b53
@RaphCodec
formatted and linited
e7d230e
@RaphCodec
update uv lock
9d8e2a7
@RaphCodec
update uv lock
e8987e6
@RaphCodec
chore: update uv lock so branch is up to date
a18066e
@RaphCodec
chore: update uv lock so branch is up to date
7ed0886
@RaphCodec RaphCodec force-pushed the feat/git-bundles-github-app-auth branch from e432d3f to 7ed0886 Compare May 9, 2026 11:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ephraimbuddy ephraimbuddy Awaiting requested review from ephraimbuddy ephraimbuddy is a code owner

@pierrejeambrun pierrejeambrun Awaiting requested review from pierrejeambrun pierrejeambrun is a code owner

@rawwar rawwar Awaiting requested review from rawwar rawwar is a code owner

@jason810496 jason810496 Awaiting requested review from jason810496 jason810496 is a code owner

@bugraoz93 bugraoz93 Awaiting requested review from bugraoz93 bugraoz93 is a code owner

@shubhamraj-git shubhamraj-git Awaiting requested review from shubhamraj-git shubhamraj-git is a code owner

@choo121600 choo121600 Awaiting requested review from choo121600 choo121600 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area:providers provider:git

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Git Provider GitHub App Authentication

3 participants

@RaphCodec @potiuk