Add GitHub App authentication module with auto-installation support

[Copilot]

Pull Request

Description

Adds a complete GitHub App authentication module for MeGaOcToOoN enabling JWT-based app authentication, installation token generation, and cross-platform auto-installation flow for app store publishing.

Key additions in github-app/:

• index.js - Authenticates as GitHub App, calls GET /app, lists installations, creates installation tokens
• install.js - Cross-platform browser launcher for app installation flow
• package.json - Dependencies: octokit, @octokit/auth-app, dotenv
• .env.example & README.md - Configuration template and documentation

Updated:

• .gitignore - Excludes node_modules/, *.pem, github-app/.env
• .env.example - Added GITHUB_APP_* configuration options

# Usage
cd github-app && npm install
cp .env.example .env  # Add APP_ID and PRIVATE_KEY
npm start             # Authenticate and list installations
npm run install-app -- --open  # Open installation page

Type of Change

• New feature (non-breaking change which adds functionality)
• Documentation update

How Has This Been Tested?

• Node.js syntax validation (node --check)
• package.json JSON validation
• CodeQL security scan - 0 vulnerabilities

Test Configuration:

• Node.js: 18+
• OS: Cross-platform (Windows/macOS/Linux)

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have checked my code and corrected any misspellings

Screenshots (if applicable)

N/A

Additional Notes

• PEM format validation added for private keys
• Sensitive tokens cleared from memory after use
• No secrets committed - .env.example contains placeholders only

Breaking Changes

None

Dependencies

New in github-app/package.json:

• dotenv@^16.3.1
• octokit@^3.1.0
• @octokit/auth-app@^6.0.0

Reviewer Notes

• Verify PEM validation regex handles all valid GitHub App private key formats
• Review token clearing approach in index.js line 168

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com//advisories
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

and push
Copilot Chat
GitHub App project setup and push
Previous page
You said: // Octokit.js // https://github.com/octokit/core.js#readme const octokit = new Octokit({
// Octokit.js
// https://github.com/octokit/core.js#readme
const octokit = new Octokit({
auth: 'YOUR-TOKEN'
})

await octokit.request('GET /app', {
headers: {
'X-GitHub-Api-Version': '2022-11-28'
}
})
Copilot said: I see you pointed to the GitHub
I see you pointed to the GitHub settings/apps path "settings/apps/megaoctooon" and pasted a small Octokit example calling GET /app. Do you want:

code you can run to get that app's metadata via the GitHub API, or
an explanation of which token / auth type is required and how the endpoint works, or
help actually fetching info for that app (I can't call GitHub on your behalf unless you provide credentials or explicitly ask me to run a tool and supply the repo/owner context)?
Below I explain the endpoint and show compact, copy-pasteable Node.js examples (Octokit) for the common tasks: call GET /app (requires a GitHub App JWT), list installations, and create an installation access token.

Summary: GET /app must be authenticated as the GitHub App itself using a signed JWT (not a user PAT). To act as a specific installation (access repo data), exchange for an installation access token.

Minimal Octokit example (recommended)
Uses @octokit/core (octokit) plus createAppAuth from @octokit/auth-app.
Authenticate as the App (JWT) to call GET /app, list installations, and create an installation token.
js
// node example (install: npm i octokit @octokit/auth-app)
import { Octokit } from "octokit";
import { createAppAuth } from "@octokit/auth-app";

const octokit = new Octokit({
authStrategy: createAppAuth,
auth: {
appId: process.env.APP_ID, // e.g. "12345"
privateKey: process.env.PRIVATE_KEY, // the PEM private key string with \n newlines
},
});

async function run() {
// Get the App metadata (authenticated as the App via JWT)
const { data: app } = await octokit.request("GET /app");
console.log("App:", app);

// List installations of the App
const { data: installations } = await octokit.request("GET /app/installations");
console.log("Installations:", installations);

// If you have an installation id, create an installation access token:
const installationId = installations[0]?.id;
if (installationId) {
const { data: tokenData } = await octokit.request(
"POST /app/installations/{installation_id}/access_tokens",
{ installation_id: installationId }
);
console.log("Installation token:", tokenData.token);
// Use tokenData.token to authenticate requests as the installation:
const installationOctokit = new Octokit({ auth: tokenData.token });
// e.g. list repos for installation
const repos = await installationOctokit.request("GET /installation/repositories");
console.log("installation repos:", repos.data);
}
}

run().catch(console.error);
Alternative: use createAppAuth directly to get tokens (no Octokit wrapper needed)
js
import { createAppAuth } from "@octokit/auth-app";

const auth = createAppAuth({
appId: process.env.APP_ID,
privateKey: process.env.PRIVATE_KEY,
});

// get JWT for App
const appAuth = await auth({ type: "app" });
console.log("app JWT:", appAuth.token);

// get installation token for specific installation id
const installationAuth = await auth({ type: "installation", installationId: 12345 });
console.log("installation token:", installationAuth.token);
Curl example (you must create a JWT first)
You cannot call GET /app with a PAT; the App endpoints require the App's JWT as bearer token.
Example (pseudo): create a JWT signed with your private key and then:
curl -H "Authorization: Bearer <APP_JWT>" -H "Accept: application/vnd.github+json" https://api.github.com/app

(Generating the JWT is easiest with libraries like jsonwebtoken or via @octokit/auth-app in Node.)

Notes and permissions

GET /app returns public and owner-only metadata about the GitHub App. Only the app owner (authenticated with the App JWT) can access full details.
To access repositories or perform actions in an installation, you must create an installation access token (installation scope controlled by the App's permissions).
If you only need to view the settings page in the UI (settings/apps/megaoctooon), that’s the browser UI for the app owner (no API call needed).
What I did: I interpreted your URL as the GitHub App settings path and prepared concise, runnable Octokit examples showing the correct auth flows (App JWT for GET /app, then installation token to act on installations).

Next (I won't run anything without your go-ahead): tell me whether you want me to

generate a ready-to-run script file (I can post it as a file),
walk through how to create the JWT from your private key step-by-step,
or, if you want me to fetch info for me (I can run a githubread query if you give me an explicit API request and owner/context, but I will need cr...

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.