Pact Foundation

Hi pact team,

I'm currently trying to figure how to best integrate `Webhooks`  with GitHub on the event "Contract published that requires verification" to trigger the GitHub action on the provider side.

My question is about the authorization. I was trying to use a GitHub App as a "system account" but I doesn't work be cause a multi-step auth is required (e.g. create installation access token that is valid for 1 hour).

Am I right that I basically need to create a "system user" in GitHub, create a PAT for that system user and simply use this to authenticate the webhook? Or am I missing something? I basically don't want to use a PAT of a "real" personal account within the organization.

Thanks in advance for your support :+1:

<@U03CXCSGGF4> I haven’t worked out a better way to invoke the github apis myself. Using the personal access tokens is really crap, I agree.

I think the way github works, you need to create an app <https://docs.github.com/en/rest/guides/getting-started-with-the-rest-api#about-tokens>

And we’ll need to add in JWT authentication for the webhooks <https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps>

Can you create a feature request in <http://pact.canny.io|pact.canny.io> for this please?

You may be able to generate a long lived JWT (eg 1 year) that you could hardcode in the webhook.

Hi <@U9VHUPVPX>,

thanks for your response.

In my humble opinion adding just JWT authentication for the webhooks is
no enough.

Besides creating a GitHub app the following steps are required to
use the API using an installation token as far as I understand it.
As the token lifetime is quite restricted this needs to be done
regularly:

1.
Generate a sign a JWT token using the app's private key:
<https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app>
This token is valid for maximum 10 minutes.

2.
Use the JWT token from step 1 and create an installation token:
<https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation>

```$ curl -i -X POST \
-H "Authorization: Bearer YOUR_JWT" \
-H "Accept: application/vnd.github+json" \
<https://api.github.com/app/installations/:installation_id/access_tokens>```
This Bearer Token is valid for 60 minutes

3.
Call the webhook/GitHub API with the Bearer Token from step 2.

Thanks
Johannes

ok, thank ... anyways I'll create a feature request :slightly_smiling_face:

done: <https://pact.canny.io/feature-requests/p/webhooks-trigger-github-apis-using-app-installation-tokens-instead-of-pats>

Thanks Johannes. See also <https://github.com/pactflow/roadmap/issues/45> Beth and team