command feat: validate GitHub App permissions via API and add tests

Use octokit.rest.users.getByUsername to determine actor type (User or Bot)
Fetch GitHub App installation details with octokit.rest.apps.getRepoInstallation for permission validation.
Ensure GitHub Apps have "issues" permission set to "write" before allowing execution.
Add test cases for GitHub App actors

Feb 28 '25 18:02 jcfr

In the context of the https://github.com/MorphoCloud/MorphoCloudWorkflow project, it would be very convenient to allow triggering workflow after our dedicated GitHub App user comment^1 on issue. Despite of being added to the allowList, we observed the error depicted below. This pull request is an attempt to address this.

Feb 28 '25 18:02 jcfr

@jcfr Thank you for this! 🚀

I can see right away how this could be useful. Pretty much how I build these Actions is always allowing for users to toggle on/off features like this so I pushed a commit to add a new allow_github_apps input to disable this ability if people want to do so. By default, it will be enabled so both users and bots can trigger this Action (making this a non-breaking change).

I also did the following:

Fixed a few tests
Added a few more tests for 100% unit test coverage
Added a new output called actor_type which matches the type of the Actor who initiated the chatop request

Mar 01 '25 04:03 GrantBirki

@jcfr I think these changes should be good to merge in shortly.

Could I ask that you briefly fill out some docs around using GitHub Apps with this Action so that others who want to do the same have a bit of info/context to go off of? I created a new doc here for you to add some notes. Thank you!

https://github.com/github/command/pull/70/files#diff-2c3a4fa30fdb6b666b88487547e39ac628a80976a03a0332c78468aae5e8a90bR5

Mar 01 '25 04:03 GrantBirki

Also, for testing you could likely point a previous using of github/command to this PR branch and see if it works before we merge as well.

For example you could do:

- uses: jcfr/command@support-granting-permission-to-bot-user

and that should work by using this branch

Mar 01 '25 05:03 GrantBirki

Thanks for both the quick review and for bringing this patch to the next level :pray: :rocket:

Adding support for allow_github_apps as input as well as the actor_type as output is very sensible.

Also, for testing you could likely point [...] uses: jcfr/command@support-granting-permission-to-bot-user

I will test in the morning and report back.

fill out some docs around using GitHub Apps with this Action so that others who want to do the same have a bit of info/context to go off of?

I will do so. Thanks for the suggestion.

Mar 01 '25 05:03 jcfr

At first, I observed the following:


https://github.com/MorphoCloud/MorphoCloudInstancesTest/actions/runs/13609717922/job/38045333779

Then, I explicitly associated the token retrieved from the Github App with the github/command by setting github_token input (see https://github.com/MorphoCloud/MorphoCloudInstancesTest/commit/9c2e5d98e7d55cd5b0eb9f409625e2cfaeff0045), but I still observe the same error:


https://github.com/MorphoCloud/MorphoCloudInstancesTest/actions/runs/13609779093/job/38045452436

I am wondering if I should grant additional permission to the GitHub App ..

Mar 01 '25 23:03 jcfr

👋 Hey @jcfr, just wanted to loop back around to you and see where things stand on this and if its something you are still working on. 🙇

May 16 '25 21:05 GrantBirki

Hello there 👋

What is the status of this feature? I am very interested in it 😇

Can I do something to help? (To be more precised, I am looking for this feature to land in https://github.com/github/branch-deploy/issues/381 😁)

Sep 27 '25 10:09 xakraz

I still would like to address this :sparkles: I may have some bandwidth to work on this tomorrow :crossed_fingers:

Oct 09 '25 23:10 jcfr