feat(github): add GitHub App integration

Implement GitHub App based authentication as an alternative to personal access
tokens for GitHub-backed repositories. The integration stores the app
configuration and installation metadata, exchanges app credentials for
installation access tokens, and uses those tokens when Weblate performs GitHub
repository operations.

Author: amCap1712

docs/admin/code-hosting.rst

@@ -237,7 +237,38 @@ access to the repository. To push changes back, you still need to add
 the Hosted Weblate :guilabel:`weblate` GitHub user as a collaborator with write
 access, see :ref:`hosted-push`.
 
-If you are not using the app, add the Weblate webhook in the repository
+For self-hosted Weblate, create a GitHub App on each GitHub host you want
+Weblate to connect to and configure :setting:`GITHUB_APP_CREDENTIALS` with the
+app ID, app slug, private key, and webhook secret from that app.
+
+When creating the GitHub App, copy :guilabel:`App ID` from the app settings,
+use the slug from the app URL as ``app_slug``, generate a private key and use
+its PEM contents as ``private_key``, and choose a webhook secret to store as
+``webhook_secret``.
+
+In the GitHub App webhook settings, enable webhooks and use the Weblate
+GitHub hook URL as the :guilabel:`Webhook URL`. When Weblate is configured for
+multiple GitHub hosts, include the GitHub host in the URL query string:
+
+.. code-block:: text
+
+   https://weblate.example.com/hooks/github/?host=github.example.com
+
+The ``host`` value has to match the host key in :setting:`GITHUB_APP_CREDENTIALS`.
+Use ``github.com`` for GitHub.com and the web hostname for GitHub Enterprise
+Server. The query parameter is not added by GitHub; it is part of the webhook
+URL you configure in the GitHub App.
+
+The host is needed because GitHub App IDs and installation IDs are scoped to a
+single GitHub host. If the same Weblate instance handles GitHub.com and one or
+more GitHub Enterprise Server instances, the same numeric ID can exist on more
+than one host. The host value lets Weblate choose the correct app credentials
+before validating the webhook signature and before creating or updating the
+stored installation. If the parameter is omitted, Weblate tries to infer the
+host from a unique app ID, an existing installation, or a matching webhook
+secret, but an explicit host keeps the first delivery unambiguous.
+
+If you are not using a GitHub App, add the Weblate webhook in the repository
 settings (:guilabel:`Webhooks`) to receive notifications on every push to a
 GitHub repository, as shown on the image below:
 
@@ -253,6 +284,7 @@ types and consumes just the :guilabel:`push` event.
 .. seealso::
 
    * :http:post:`/hooks/github/`
+   * :setting:`GITHUB_APP_CREDENTIALS`
    * :ref:`hosted-push`
 
 .. _code-hosting-github-pull-requests:

docs/admin/config.rst

@@ -1060,6 +1060,50 @@ List for credentials for GitHub servers.
 
 .. _Creating a GitHub personal access token: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
 
+.. setting:: GITHUB_APP_CREDENTIALS
+
+GITHUB_APP_CREDENTIALS
+----------------------
+
+List of Weblate GitHub App credentials for GitHub.com and GitHub Enterprise
+Server hosts.
+
+.. code-block:: python
+
+    GITHUB_APP_CREDENTIALS = {
+        "github.com": {
+            "app_id": "12345",
+            "app_slug": "weblate-app",
+            "private_key": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----",
+            "webhook_secret": "your-webhook-secret",
+        },
+        "github.example.com": {
+            "app_id": "67890",
+            "app_slug": "weblate-enterprise-app",
+            "private_key": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----",
+            "webhook_secret": "your-enterprise-webhook-secret",
+        },
+    }
+
+The dictionary keys are GitHub web hostnames. Use ``github.com`` for
+GitHub.com and the web hostname, not the API URL, for GitHub Enterprise
+Server.
+
+Use the :guilabel:`App ID` from the GitHub App settings as ``app_id``, the
+slug from the app URL as ``app_slug``, a generated private key PEM as
+``private_key``, and the configured app webhook secret as ``webhook_secret``.
+
+The :guilabel:`Webhook URL` configured in the GitHub App should include the
+matching host when Weblate is configured with multiple GitHub hosts:
+
+.. code-block:: text
+
+    https://weblate.example.com/hooks/github/?host=github.example.com
+
+.. seealso::
+
+   * :ref:`code-hosting-github-notifications`
+
 .. setting:: BITBUCKETSERVER_CREDENTIALS
 
 BITBUCKETSERVER_CREDENTIALS

docs/admin/install/docker.rst

@@ -1380,6 +1380,46 @@ Or the path to a file containing the Python dictionary:
 
        :ref:`Configuring code hosting credentials in Docker <docker-vcs-config>`
 
+GitHub App credentials can be configured using dedicated environment
+variables for one GitHub host:
+
+.. code-block:: shell
+
+   WEBLATE_GITHUB_APP_HOST=github.example.com
+   WEBLATE_GITHUB_APP_ID=12345
+   WEBLATE_GITHUB_APP_SLUG=weblate-enterprise-app
+   WEBLATE_GITHUB_APP_PRIVATE_KEY_FILE=/run/secrets/github-app-private-key
+   WEBLATE_GITHUB_APP_WEBHOOK_SECRET=webhook-secret
+
+When configuring the GitHub App webhook URL, include the same host:
+
+.. code-block:: text
+
+   https://weblate.example.com/hooks/github/?host=github.example.com
+
+Alternatively the Python dictionary can be provided as a string or file for
+multiple GitHub hosts:
+
+.. code-block:: shell
+
+   WEBLATE_GITHUB_APP_CREDENTIALS_FILE=/path/to/github-app-credentials
+
+.. envvar:: WEBLATE_GITHUB_APP_HOST
+.. envvar:: WEBLATE_GITHUB_APP_ID
+.. envvar:: WEBLATE_GITHUB_APP_SLUG
+.. envvar:: WEBLATE_GITHUB_APP_PRIVATE_KEY
+.. envvar:: WEBLATE_GITHUB_APP_PRIVATE_KEY_FILE
+.. envvar:: WEBLATE_GITHUB_APP_WEBHOOK_SECRET
+.. envvar:: WEBLATE_GITHUB_APP_CREDENTIALS
+.. envvar:: WEBLATE_GITHUB_APP_CREDENTIALS_FILE
+
+    Configures :ref:`code-hosting-github-notifications` by changing
+    :setting:`GITHUB_APP_CREDENTIALS`.
+
+    .. seealso::
+
+       :setting:`GITHUB_APP_CREDENTIALS`
+
 .. envvar:: WEBLATE_GITLAB_USERNAME
 .. envvar:: WEBLATE_GITLAB_TOKEN
 .. envvar:: WEBLATE_GITLAB_HOST

weblate/settings_docker.py

@@ -30,6 +30,7 @@
     get_env_bool,
     get_env_credentials,
     get_env_float,
+    get_env_github_app_credentials,
     get_env_int,
     get_env_int_or_none,
     get_env_json,
@@ -246,6 +247,9 @@
 # Please see the documentation for more details.
 GITHUB_CREDENTIALS = get_env_credentials("GITHUB")
 
+# Weblate GitHub app configuration for one-click installation flow.
+GITHUB_APP_CREDENTIALS = get_env_github_app_credentials()
+
 # Azure DevOps username, token, and organization for sending pull requests.
 # Please see the documentation for more details.
 AZURE_DEVOPS_CREDENTIALS = get_env_credentials("AZURE_DEVOPS")

weblate/settings_example.py

@@ -201,6 +201,17 @@
 # Please see the documentation for more details.
 GITHUB_CREDENTIALS = {}
 
+# Weblate GitHub app configuration for one-click installation flow.
+# Please see the documentation for more details.
+GITHUB_APP_CREDENTIALS = {
+    # "github.com": {
+    #     "app_id": "12345",
+    #     "app_slug": "weblate-app",
+    #     "private_key": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----",
+    #     "webhook_secret": "secret",
+    # },
+}
+
 # Azure DevOps username and token for sending pull requests.
 # Please see the documentation for more details.
 AZURE_DEVOPS_CREDENTIALS = {}

weblate/templates/trans/component_create.html

@@ -40,6 +40,11 @@
         <a class="nav-link" data-bs-target="#scratch" data-bs-toggle="tab" href="#">{% translate "Start from scratch" %}</a>
       </li>
     {% endif %}
+    {% if github_app_available %}
+      <li class="nav-item" role="presentation">
+        <a class="nav-link" data-bs-target="#github" data-bs-toggle="tab" href="#">{% translate "From GitHub" %}</a>
+      </li>
+    {% endif %}
   </ul>
 {% endblock nav_pills %}
 
@@ -178,6 +183,65 @@
         </div>
       {% endif %}
 
+      {% if github_app_available %}
+        <div class="tab-pane" id="github">
+          <p>
+            {% translate "Pick a repository from a connected GitHub account. The component creation form will be pre-filled with the clone URL, default branch, and GitHub VCS driver." %}
+            {% if github_app_install_url %}
+              <a href="{{ github_app_install_url }}"
+                 class="btn btn-outline-primary btn-sm float-end">{% translate "Add or configure account" %}</a>
+            {% endif %}
+          </p>
+          {% if github_app_repositories %}
+            <table class="table table-striped">
+              <thead>
+                <tr>
+                  <th>{% translate "Repository" %}</th>
+                  <th>{% translate "Account" %}</th>
+                  <th>{% translate "Branch" %}</th>
+                  <th>{% translate "Visibility" %}</th>
+                  <th>{% translate "Actions" %}</th>
+                </tr>
+              </thead>
+              <tbody>
+                {% for repo in github_app_repositories %}
+                  <tr>
+                    <td>
+                      <strong>{{ repo.full_name }}</strong>
+                      {% if repo.description %}
+                        <br>
+                        <small class="text-body-secondary">{{ repo.description }}</small>
+                      {% endif %}
+                    </td>
+                    <td>{{ repo.account_name }}</td>
+                    <td>{{ repo.default_branch }}</td>
+                    <td>
+                      {% if repo.private %}
+                        <span class="badge text-bg-warning">{% translate "Private" %}</span>
+                      {% else %}
+                        <span class="badge text-bg-success">{% translate "Public" %}</span>
+                      {% endif %}
+                    </td>
+                    <td>
+                      <a href="{% url 'create-component-vcs' %}?repo={{ repo.clone_url }}&branch={{ repo.default_branch }}&vcs=github"
+                         class="btn btn-outline-primary btn-sm">{% translate "Import" %}</a>
+                    </td>
+                  </tr>
+                {% endfor %}
+              </tbody>
+            </table>
+          {% else %}
+            <p class="text-body-secondary">
+              {% if github_app_install_url %}
+                {% translate "No repositories available yet. Install the Weblate GitHub app on a GitHub organization or user account to make repositories available here." %}
+              {% else %}
+                {% translate "No repositories available from connected GitHub accounts." %}
+              {% endif %}
+            </p>
+          {% endif %}
+        </div>
+      {% endif %}
+
     </div>
   {% endif %}
 

weblate/templates/vcs/github_install_select.html

@@ -0,0 +1,29 @@
+{% extends "base.html" %}
+
+{% load i18n %}
+
+{% block breadcrumbs %}
+  <li class="breadcrumb-item">{% translate "Install Weblate GitHub app" %}</li>
+{% endblock breadcrumbs %}
+
+{% block content %}
+
+  <div class="card">
+    <div class="card-header">
+      <h4 class="card-title">{% translate "Choose GitHub host" %}</h4>
+    </div>
+    <div class="card-body">
+      <p class="text-body-secondary">
+        {% translate "Select the GitHub or GitHub Enterprise instance where you want to install the Weblate GitHub app." %}
+      </p>
+      <div class="d-grid gap-2">
+        {% for choice in install_choices %}
+          <a href="{{ choice.install_url }}" class="btn btn-outline-primary">
+            {% blocktranslate with hostname=choice.hostname %}Install on {{ hostname }}{% endblocktranslate %}
+          </a>
+        {% endfor %}
+      </div>
+    </div>
+  </div>
+
+{% endblock content %}