Hub: Support authentication via GitHub App installation token

Currently, this doesn't work with Hub since if one wants to access the GitHub API with the GitHub App installation token, he/she must must provide a custom media type in the Accept header for the requests:

Thanks for pointing that out! I didn't know that. Are you saying that, currently, none of hub's operations work from Actions because this header isn't yet set?

I haven't tried hub from Actions myself yet but I was under the impression that it works if GITHUB_TOKEN is set; see https://github.com/github/hub/issues/2249

Are you saying that, currently, none of hub's operations work from Actions because this header isn't yet set?

I've only tried using it with an Action for a private repository and indeed, nothing that needs to authenticate with the GitHub API works.

But even if one would work with a public repo, _useful_ GitHub API calls would require authentication.

I haven't tried hub from Actions myself yet but I was under the impression that it works if GITHUB_TOKEN is set; see #2249

Thanks for the pointer, but I don't see a proper solution there. So, setting the GITHUB_TOKEN environment variable as:

steps:
  - name: My first action
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  - name: My second action
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

doesn't work. Hub just returns 401 response code.

Performing the same GitHub API call while also setting the following Accept header:

Accept: application/vnd.github.machine-man-preview+json

works.

@tjanez I have finally tried out hub from GitHub Actions, and the latest release worked for me even if we don't specify the machine-man-preview explicitly.

This is the workflow setup I've used:

    steps:
    - name: hub test
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      shell: bash
      run: |
        curl -fsSL https://gist.github.com/mislav/941a4edd3b63c9d9b07f7901b27e8b23.txt | bash -s 2.12.8
        git init
        git remote add origin https://github.com/mislav/playground
        bin/hub issue -L 10

The auto-generated GITHUB_TOKEN allows me to query information from the repository that's executing this workflow: mislav/playground. Everything works so far. Of course, this token isn't sufficient to query information from other private repos, but that's by design.

Where have you experienced that hub requests failed until you specified the custom Accept header, and how have you obtained the token exactly? Hvala!

I can not get hub api working with an installation token.
I add the token into the environment by
export GITHUB_TOKEN=<token>
and than try to execute
hub api --paginate graphql -F "query=@${MYDIR}/repositories.graphql"

content of repositories.graphql is

query ($endCursor: String) {
  organization(login: "<ORG_NAME>") {
    repositories(isFork: false, first: 100, after: $endCursor) {
      nodes {
        name
        createdAt
        pushedAt
        isArchived
        isDisabled
        isPrivate
        primaryLanguage {
          name
        }
        languages(orderBy: {field: SIZE, direction: DESC}, first: 10) {
          edges {
            size
            node {
              name
            }
          }
        }
      }
      pageInfo {
        hasNextPage
        endCursor
      }
    }
  }
}

and I get:

Error getting current user: Forbidden (HTTP 403)
Resource not accessible by integration
You must specify GITHUB_USER via environment variable.`

the same graphql query run via postman using the token as Bearer token works fine

@oli99sc Have you tried following the hint in the error message and set GITHUB_USER?

export GITHUB_USER=<ORG>

The exact value won't be used for anything except that it will instruct hub to avoid trying to read the current user from API, which isn't allowed in app mode. I intend to improve this in the future (make it not needed), but until then the workaround is necessary.

Yes, that is working, indeed. Thx @mislav

@tjanez Closing this because, in my testing, hub already works from Actions.

Using hub api, you can also pass a custom request header if that's needed. However, it shouldn't be needed for most built-in hub <command> operations. If that still doesn't work for you, please post more info about your setup! Note that you can enable the HUB_VERBOSE environment variable while testing to get more verbose logging about HTTP requests while debugging.