Add GitHub App authentication for git DAG bundles#64422
Conversation
|
Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst)
|
0639a51 to
d080795
Compare
|
@RaphCodec Converting to draft — this PR doesn't yet meet our Pull Request quality criteria.
See the linked criteria for how to fix each item, then mark the PR "Ready for review". This is not a rejection — just an invitation to bring the PR up to standard. No rush. Note: This comment was drafted by an AI-assisted triage tool and may contain mistakes. Once you have addressed the points above, an Apache Airflow maintainer — a real person — will take the next look at your PR. We use this two-stage triage process so that our maintainers' limited time is spent where it matters most: the conversation with you. |
There was a problem hiding this comment.
Pull request overview
Adds GitHub App-based authentication support to the Git provider’s GitHook so Git-backed DagBundles can authenticate to GitHub without SSH deploy keys (using an installation access token instead).
Changes:
- Extend
GitHookconnection extras/UI placeholders to accept GitHub App identifiers and generate an installation token for HTTPS cloning. - Add an optional dependency extra for GitHub App support (
pygithub/PyGithub) in the git provider. - Update the workspace lockfile to include the new optional extra and reflect a refreshed dependency resolution.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
providers/git/src/airflow/providers/git/hooks/git.py |
Adds GitHub App auth fields and token generation logic to rewrite HTTPS repo URLs with an installation token. |
providers/git/pyproject.toml |
Introduces an optional dependency extra for GitHub App support. |
uv.lock |
Updates the lockfile to include the new optional extra and updated resolved packages. |
1abb9fb to
23cf74d
Compare
687fb39 to
533e92f
Compare
|
Thanks for the feedback. I went over the code more thourghly, improved it and updated the branch. I will try to update the branch at least once a day to prevent merge conflicts. |
27884e7 to
a2d5a9a
Compare
|
@RaphCodec Converting to draft — this PR doesn't yet meet our Pull Request quality criteria.
See the linked criteria for how to fix each item, then mark the PR "Ready for review". This is not a rejection — just an invitation to bring the PR up to standard. No rush. Note: This comment was drafted by an AI-assisted triage tool and may contain mistakes. Once you have addressed the points above, an Apache Airflow maintainer — a real person — will take the next look at your PR. We use this two-stage triage process so that our maintainers' limited time is spent where it matters most: the conversation with you. |
jscheffl
left a comment
There was a problem hiding this comment.
I am not an expert of GH App Auth, so I can just skim over the code. Does not look bad but I can not really judge. Some other maintainer around who known more?
0976f2c to
19aa746
Compare
6e4ad47 to
c127dfe
Compare
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
copilot suggestion Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…nstallation id Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ith_key_file_reads_file Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
… treated as an ssh key by mistake
…es related to the optional PyGithub dependency
…ken until first use
…own airflow expcetions back to 1
|
@potiuk I checked the failing provider distribution tests and they seem to be unrelated to the changes in my PR. The failing tests (https://github.com/RaphCodec/airflow/actions/runs/28319050045/job/83900082499) failed due to issues with the amazon and azure providers. Example Error: ================================================================================================= ERRORS =================================================================================================
_______________________________________________________ ERROR collecting providers/microsoft/azure/tests/unit/microsoft/azure/hooks/test_batch.py ________________________________________________________
ImportError while importing test module '/opt/airflow/providers/microsoft/azure/tests/unit/microsoft/azure/hooks/test_batch.py'.
Hint: make sure your test modules/packages have valid Python names.
Traceback:
/usr/python/lib/python3.10/importlib/__init__.py:126: in import_module
return _bootstrap._gcd_import(name[level:], package, level)
providers/microsoft/azure/tests/unit/microsoft/azure/hooks/test_batch.py:24: in <module>
from azure.batch import BatchServiceClient, models as batch_models
E ImportError: cannot import name 'BatchServiceClient' from 'azure.batch' (/usr/python/lib/python3.10/site-packages/azure/batch/__init__.py)
_____________________________________________________ ERROR collecting providers/microsoft/azure/tests/unit/microsoft/azure/operators/test_batch.py ______________________________________________________
ImportError while importing test module '/opt/airflow/providers/microsoft/azure/tests/unit/microsoft/azure/operators/test_batch.py'.
Hint: make sure your test modules/packages have valid Python names.
Traceback:I'm not sure how those would be resolved in this PR as they are unrelated so I'd like to mark this PR for review. If you believe this is related to my PR please let me know and I'll look into this further. I ran all the static checks locally and they passed, and the CI images all built successfully. |
Purpose
Adding GitHub App Authentication to the Git Provider. This feature is intended to be a security benefit for those who want to use GitHub Dag Bundles in Airflow 3, but for whatever reason cannot use a SSH deploy key to authenticate to GitHub and would prefer not to use their own PAT.
In case of an existing issue, reference it using one of the following:
Was generative AI tooling used to co-author this PR?
{pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.Important
🛠️ Maintainer triage note for @RaphCodec · by
@potiuk· 2026-06-22 06:31 UTCHelpful heads-up from the maintainers — please address before this PR can be reviewed (see the Pull Request quality criteria):
The ball is in your court — you've been assigned to this PR. Fix the above, then mark it Ready for review.
Automated triage — may be imperfect; a maintainer takes the next look.