Skip to content

feat: add support for multiple GitHub apps#22

Draft
tstollin wants to merge 2 commits into
mainfrom
multiple-apps-2
Draft

feat: add support for multiple GitHub apps#22
tstollin wants to merge 2 commits into
mainfrom
multiple-apps-2

Conversation

@tstollin

@tstollin tstollin commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds support for multiple GitHub Apps across organizations, so each CR can reference its own credentials secret. Also improves the CI workflow to fix a race condition with force-push triggered runs.

Multiple GitHub Apps

Previously the operator used a single, globally-configured credentials secret for all organizations. This PR makes credential resolution per-organization.

New: spec.githubAppConfig (recommended)

spec:
  githubAppConfig:
    installationId: 12345678
    credentialsSecretName: my-org-app-credentials  # Secret in credentials namespace

Deprecated: spec.githubAppInstallationId

The existing field is still supported for backward compatibility. When set alone it falls back to the default secret configured via --app-credentials-secret-name. If both fields are set, githubAppConfig takes precedence.

spec:
  githubAppInstallationId: 12345678  # deprecated; use githubAppConfig instead

Implementation details

  • New GitHubAppConfig CRD type with installationId and credentialsSecretName fields
  • SecretProviderFunc now accepts a secretName string parameter — credentials are fetched lazily on first use and cached per secret name
  • CachingGitHubClientFactory caches clients per organization and rate-limit state per GitHub App ID (so installations of the same App share a quota bucket)
  • Stale clients are evicted automatically when the referenced credentials secret changes
  • Organization.ResolveGitHubAppConfig(legacySecretName) resolves the effective config, hiding the deprecated fallback from callers
  • Validation webhook enforces that at least one of githubAppConfig or githubAppInstallationId is set

Secret rotation

The in-memory client cache is not invalidated on Secret updates. A pod restart is required to pick up rotated credentials. Stakater Reloader is recommended for automated rotation workflows.


CI workflow improvements

  • Split ci.yml / pr.yml: commitlint and helm-chart-reminder moved to a dedicated pr.yml that only triggers on pull_request events. This eliminates the double-run race where a force-push fires both push and pull_request: synchronize, causing the PR-only jobs to be marked as skipped by the push run before the PR run completes.
  • Auto-delete stale reminder: the helm chart reminder comment is now removed when no Helm-relevant changes are detected on subsequent pushes.
  • False-positive fix: diff for kubebuilder marker detection is now restricted to *.go files to prevent the workflow file itself from self-matching.
  • Matched files in comment: the reminder comment now lists the specific files that triggered each reason.

Breaking changes

Area Change
OrganizationSpec.GitHubAppInstallationId Type changed from required int64 to optional *int64. Existing CRs continue to work.
SecretProviderFunc Signature changed: func(ctx) (*Secret, error)func(ctx, secretName string) (*Secret, error)
GitHubClientManager interface GetGitHubClientAndCheckRateLimit now takes v1alpha1.GitHubAppConfig instead of int64

@tstollin tstollin force-pushed the multiple-apps-2 branch 4 times, most recently from 092d2ba to c693269 Compare July 2, 2026 06:35
@tstollin tstollin force-pushed the multiple-apps-2 branch 2 times, most recently from 7f57fcb to f594a87 Compare July 2, 2026 07:40
@Interhyp Interhyp deleted a comment from github-actions Bot Jul 2, 2026
@tstollin tstollin changed the title multiple apps 2 feat: add support for multiple GitHub apps Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant