feat: support github enterprise api

.github/linters/.markdown-lint.yml

@@ -8,4 +8,4 @@ MD024: false
 # MD033/no-inline-html - Inline HTML
 MD033:
   # Allowed elements
-  allowed_elements: [br, li, ul]
+  allowed_elements: [br, li, ul]

README.md

@@ -79,11 +79,12 @@ This action can be configured to authenticate with GitHub App Installation or Pe
 
 ##### GitHub App Installation
 
-| field                    | required | default | description                                                                                                                                                                                             |
-| ------------------------ | -------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `GH_APP_ID`              | True     | `""`    | GitHub Application ID. See [documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) for more details.              |
-| `GH_APP_INSTALLATION_ID` | True     | `""`    | GitHub Application Installation ID. See [documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) for more details. |
-| `GH_APP_PRIVATE_KEY`     | True     | `""`    | GitHub Application Private Key. See [documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) for more details.     |
+| field                        | required | default | description                                                                                                                                                                                             |
+| ---------------------------- | -------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `GH_APP_ID`                  | True     | `""`    | GitHub Application ID. See [documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) for more details.              |
+| `GH_APP_INSTALLATION_ID`     | True     | `""`    | GitHub Application Installation ID. See [documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) for more details. |
+| `GH_APP_PRIVATE_KEY`         | True     | `""`    | GitHub Application Private Key. See [documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) for more details.     |
+| `GITHUB_APP_ENTERPRISE_ONLY` | False    | false   | Set this input to `true` if your app is created in GHE and communicates with GHE.                                                                                                                       |
 
 The needed GitHub app permissions are the following:
 
@@ -221,8 +222,9 @@ jobs:
           GH_APP_ID: ${{ secrets.GH_APP_ID }}
           GH_APP_INSTALLATION_ID: ${{ secrets.GH_APP_INSTALLATION_ID }}
           GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          # GITHUB_APP_ENTERPRISE_ONLY: True --> Set to true when created GHE App needs to communicate with GHE api
           GH_ENTERPRISE_URL: ${{ github.server_url }}
-          # GH_TOKEN: ${{ steps.app-token.outputs.token }} the token input is not used if the github app inputs are set
+          # GH_TOKEN: ${{ steps.app-token.outputs.token }} --> the token input is not used if the github app inputs are set
           ORGANIZATION: your_organization
           UPDATE_EXISTING: True
           GROUP_DEPENDENCIES: True

auth.py

@@ -1,15 +1,21 @@
 """This is the module that contains functions related to authenticating to GitHub with a personal access token."""
 
+import logging
+import logging.config
+
 import github3
 import requests
 
+logging.basicConfig(level=logging.DEBUG)
+
 
 def auth_to_github(
     token: str,
     gh_app_id: int | None,
     gh_app_installation_id: int | None,
     gh_app_private_key_bytes: bytes,
     ghe: str,
+    gh_app_enterprise_only: bool,
 ) -> github3.GitHub:
     """
     Connect to GitHub.com or GitHub Enterprise, depending on env variables.
@@ -20,12 +26,13 @@ def auth_to_github(
         gh_app_installation_id (int | None): the GitHub App Installation ID
         gh_app_private_key_bytes (bytes): the GitHub App Private Key
         ghe (str): the GitHub Enterprise URL
+        gh_app_enterprise_only (bool): Set this to true if the GH APP is created on GHE and needs to communicate with GHE api only
 
     Returns:
         github3.GitHub: the GitHub connection object
     """
     if gh_app_id and gh_app_private_key_bytes and gh_app_installation_id:
-        if ghe:
+        if ghe and gh_app_enterprise_only:
             gh = github3.github.GitHubEnterprise(url=ghe)
         else:
             gh = github3.github.GitHub()

env.py

@@ -98,6 +98,7 @@ def get_env_vars(
     int | None,
     int | None,
     bytes,
+    bool,
     str,
     str,
     list[str],
@@ -132,6 +133,7 @@ def get_env_vars(
         gh_app_id (int | None): The GitHub App ID to use for authentication
         gh_app_installation_id (int | None): The GitHub App Installation ID to use for authentication
         gh_app_private_key_bytes (bytes): The GitHub App Private Key as bytes to use for authentication
+        gh_app_enterprise_only (bool): Set this to true if the GH APP is created on GHE and needs to communicate with GHE api only
         token (str): The GitHub token to use for authentication
         ghe (str): The GitHub Enterprise URL to use for authentication
         exempt_repositories_list (list[str]): A list of repositories to exempt from the action
@@ -183,6 +185,7 @@ def get_env_vars(
     gh_app_id = get_int_env_var("GH_APP_ID")
     gh_app_private_key_bytes = os.environ.get("GH_APP_PRIVATE_KEY", "").encode("utf8")
     gh_app_installation_id = get_int_env_var("GH_APP_INSTALLATION_ID")
+    gh_app_enterprise_only = get_bool_env_var("GITHUB_APP_ENTERPRISE_ONLY")
 
     if gh_app_id and (not gh_app_private_key_bytes or not gh_app_installation_id):
         raise ValueError(
@@ -340,6 +343,7 @@ def get_env_vars(
         gh_app_id,
         gh_app_installation_id,
         gh_app_private_key_bytes,
+        gh_app_enterprise_only,
         token,
         ghe,
         exempt_repositories_list,

evergreen.py

@@ -21,6 +21,7 @@ def main():  # pragma: no cover
         gh_app_id,
         gh_app_installation_id,
         gh_app_private_key,
+        gh_app_enterprise_only,
         token,
         ghe,
         exempt_repositories_list,
@@ -46,7 +47,12 @@ def main():  # pragma: no cover
 
     # Auth to GitHub.com or GHE
     github_connection = auth.auth_to_github(
-        token, gh_app_id, gh_app_installation_id, gh_app_private_key, ghe
+        token,
+        gh_app_id,
+        gh_app_installation_id,
+        gh_app_private_key,
+        ghe,
+        gh_app_enterprise_only,
     )
 
     if not token and gh_app_id and gh_app_installation_id and gh_app_private_key:

test_auth.py

@@ -18,7 +18,7 @@ def test_auth_to_github_with_token(self, mock_login):
         """
         mock_login.return_value = "Authenticated to GitHub.com"
 
-        result = auth.auth_to_github("token", "", "", b"", "")
+        result = auth.auth_to_github("token", "", "", b"", "", False)
 
         self.assertEqual(result, "Authenticated to GitHub.com")
 
@@ -28,7 +28,7 @@ def test_auth_to_github_without_token(self):
         Expect a ValueError to be raised.
         """
         with self.assertRaises(ValueError) as context_manager:
-            auth.auth_to_github("", "", "", b"", "")
+            auth.auth_to_github("", "", "", b"", "", False)
         the_exception = context_manager.exception
         self.assertEqual(
             str(the_exception),
@@ -41,10 +41,38 @@ def test_auth_to_github_with_ghe(self, mock_ghe):
         Test the auth_to_github function when the GitHub Enterprise URL is provided.
         """
         mock_ghe.return_value = "Authenticated to GitHub Enterprise"
-        result = auth.auth_to_github("token", "", "", b"", "https://github.example.com")
+        result = auth.auth_to_github(
+            "token", "", "", b"", "https://github.example.com", False
+        )
 
         self.assertEqual(result, "Authenticated to GitHub Enterprise")
 
+    @patch("github3.github.GitHubEnterprise")
+    def test_auth_to_github_with_ghe_and_ghe_app(self, mock_ghe):
+        """
+        Test the auth_to_github function when the GitHub Enterprise URL is provided and the app was created in GitHub Enterprise URL.
+        """
+        mock = mock_ghe.return_value
+        mock.login_as_app_installation = MagicMock(return_value=True)
+        result = auth.auth_to_github(
+            "", "123", "123", b"123", "https://github.example.com", True
+        )
+        mock.login_as_app_installation.assert_called_once()
+        self.assertEqual(result, mock)
+
+    @patch("github3.github.GitHub")
+    def test_auth_to_github_with_app(self, mock_gh):
+        """
+        Test the auth_to_github function when app credentials are provided
+        """
+        mock = mock_gh.return_value
+        mock.login_as_app_installation = MagicMock(return_value=True)
+        result = auth.auth_to_github(
+            "", "123", "123", b"123", "https://github.example.com", False
+        )
+        mock.login_as_app_installation.assert_called_once()
+        self.assertEqual(result, mock)
+
     @patch("github3.apps.create_jwt_headers", MagicMock(return_value="gh_token"))
     @patch("requests.post")
     def test_get_github_app_installation_token(self, mock_post):