Support multiple github app

[acouvreur]

In your security best practices you state:

Restrict who can approve pull requests: Limit pull request approval permissions to trusted team members or repository administrators.

In our organization, we may use multiple github app that are authorized to perform certain actions on a repository. Such github app are allowed on certain context.

---

I'd like to request a feature to support multiple github app authentication on OctoSTS, the trust policy could include an additional customization indicating which github app to choose:

issuer: https://accounts.google.com
subject_pattern: '[0-9]+'
claim_pattern:
  email: '.*@chainguard.dev'

permissions:
  contents: read

app: my-github-app

[mattmoor]

The github app as which this runs has a superset of the permissions handed out, which is why each trust policy carries a permissions block.

This app down-scopes the app's broad permissions to a list of repositories (typically just the one containing the policy), and the set of permissions present in the policy itself.

I am not sure I completely understand why within this model you would need apps for the purposes of least privilege.