Automatically generate tokens to read Git content as necessary.

CHANGELOG.md

@@ -10,6 +10,12 @@ The format is based on [Keep a Changelog], and this project adheres to
 [keep a changelog]: https://keepachangelog.com/en/1.0.0/
 [semantic versioning]: https://semver.org/spec/v2.0.0.html
 
+## [0.1.5] - 2023-03-03
+
+- Generate read-only installation tokens that can be used to access private Git
+  repositories for the duration of analysis. This makes the `GITHUB_USER_TOKEN`
+  environment variable unnecessary.
+
 ## [0.1.4] - 2023-03-03
 
 - Fix another misnamed environment variable, all environment variables are now
@@ -40,6 +46,7 @@ The format is based on [Keep a Changelog], and this project adheres to
 [0.1.2]: https://github.com/dogmatiq/browser/releases/v0.1.2
 [0.1.3]: https://github.com/dogmatiq/browser/releases/v0.1.3
 [0.1.4]: https://github.com/dogmatiq/browser/releases/v0.1.4
+[0.1.5]: https://github.com/dogmatiq/browser/releases/v0.1.5
 
 <!-- version template
 ## [0.0.1] - YYYY-MM-DD

analyzer/analyze.go

@@ -2,10 +2,7 @@ package analyzer
 
 import (
 	"context"
-	"crypto/rsa"
-	"crypto/x509"
 	"database/sql"
-	"encoding/pem"
 	"fmt"
 	"go/ast"
 	"go/token"
@@ -26,10 +23,9 @@ import (
 // Analyzer performs static analysis on repositories and stores the results in
 // the database.
 type Analyzer struct {
-	DB         *sql.DB
-	Connector  *githubx.Connector
-	PrivateKey *rsa.PrivateKey
-	Logger     logging.Logger
+	DB        *sql.DB
+	Connector *githubx.Connector
+	Logger    logging.Logger
 }
 
 // Analyze analyzes the repo with the given ID.
@@ -304,11 +300,23 @@ func (a *Analyzer) loadPackages(
 	r *github.Repository,
 	commit string,
 ) ([]*packages.Package, string, error) {
-	pk, err := a.persistPrivateKey()
+	inst, _, err := a.Connector.AppClient.Apps.FindRepositoryInstallationByID(ctx, r.GetID())
+	if err != nil {
+		return nil, "", err
+	}
+
+	token, _, err := a.Connector.AppClient.Apps.CreateInstallationToken(
+		ctx,
+		inst.GetID(),
+		&github.InstallationTokenOptions{
+			Permissions: &github.InstallationPermissions{
+				Contents: github.String("read"),
+			},
+		},
+	)
 	if err != nil {
 		return nil, "", err
 	}
-	defer os.Remove(pk)
 
 	dir, err := a.downloadRepository(ctx, c, r, commit)
 	if err != nil {
@@ -330,10 +338,12 @@ func (a *Analyzer) loadPackages(
 			packages.NeedTypesInfo |
 			packages.NeedDeps,
 		Dir: dir,
-		Env: []string{
-			// See https://superuser.com/questions/232373/how-to-tell-git-which-private-key-to-use
-			"GIT_SSH_COMMAND=ssh -F /dev/null -i " + pk,
-		},
+		Env: append(
+			os.Environ(),
+			// This environment variable is read by the `askpass` binary, which
+			// is part of this project.
+			"_DOGMA_BROWSER_GITHUB_TOKEN="+token.GetToken(),
+		),
 	}
 
 	pkgs, err := packages.Load(cfg, "./...")
@@ -489,24 +499,3 @@ func (a *Analyzer) analyzePackage(
 
 	return apps, defs
 }
-
-func (a *Analyzer) persistPrivateKey() (string, error) {
-	f, err := os.CreateTemp("", "github-app-private-key")
-	if err != nil {
-		return "", err
-	}
-	defer f.Close()
-	defer os.Remove(f.Name())
-
-	if err := pem.Encode(
-		f,
-		&pem.Block{
-			Type:  "RSA PRIVATE KEY",
-			Bytes: x509.MarshalPKCS1PrivateKey(a.PrivateKey),
-		},
-	); err != nil {
-		return "", err
-	}
-
-	return f.Name(), nil
-}

cmd/askpass/main.go

@@ -6,5 +6,5 @@ import (
 )
 
 func main() {
-	fmt.Println(os.Getenv("GITHUB_USER_TOKEN"))
+	fmt.Println(os.Getenv("_DOGMA_BROWSER_GITHUB_TOKEN"))
 }

cmd/browser/analyzer.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"crypto/rsa"
 	"database/sql"
 
 	"github.com/dogmatiq/browser/analyzer"
@@ -11,20 +10,18 @@ import (
 )
 
 func init() {
-	imbue.With4(
+	imbue.With3(
 		container,
 		func(
 			ctx imbue.Context,
 			db *sql.DB,
 			c *githubx.Connector,
-			pk *rsa.PrivateKey,
 			l logging.Logger,
 		) (*analyzer.Analyzer, error) {
 			return &analyzer.Analyzer{
-				DB:         db,
-				Connector:  c,
-				PrivateKey: pk,
-				Logger:     l,
+				DB:        db,
+				Connector: c,
+				Logger:    l,
 			}, nil
 		},
 	)