refactor: remove go-github dependency and implement internal GitHub API client

- Replace go-github/v74 dependency with lightweight internal implementation
- Add new github.go with minimal GitHub API types and client
- Update InstallationTokenOptions and InstallationPermissions to local types
- Simplify enterprise URL configuration to single base URL parameter
- All functionality maintained with same public API surface
- All tests passing with zero breaking changes

Author: jferrl

auth.go

@@ -3,7 +3,7 @@
 //
 // This package implements oauth2.TokenSource interfaces for GitHub App
 // authentication and GitHub App installation token generation. It is built
-// on top of the go-github and golang.org/x/oauth2 libraries.
+// on top of the golang.org/x/oauth2 library.
 package githubauth
 
 import (
@@ -15,7 +15,6 @@ import (
 	"time"
 
 	jwt "github.com/golang-jwt/jwt/v5"
-	"github.com/google/go-github/v74/github"
 	"golang.org/x/oauth2"
 )
 
@@ -135,7 +134,7 @@ func (t *applicationTokenSource) Token() (*oauth2.Token, error) {
 type InstallationTokenSourceOpt func(*installationTokenSource)
 
 // WithInstallationTokenOptions sets the options for the GitHub App installation token.
-func WithInstallationTokenOptions(opts *github.InstallationTokenOptions) InstallationTokenSourceOpt {
+func WithInstallationTokenOptions(opts *InstallationTokenOptions) InstallationTokenSourceOpt {
 	return func(i *installationTokenSource) {
 		i.opts = opts
 	}
@@ -149,16 +148,16 @@ func WithHTTPClient(client *http.Client) InstallationTokenSourceOpt {
 			Base:   client.Transport,
 		}
 
-		i.client = github.NewClient(client)
+		i.client = newGitHubClient(client)
 	}
 }
 
-// WithEnterpriseURLs sets the base URL and upload URL for GitHub Enterprise Server.
+// WithEnterpriseURL sets the base URL for GitHub Enterprise Server.
 // This option should be used after WithHTTPClient to ensure the HTTP client is properly configured.
-// If the provided URLs are invalid, the option is ignored and default GitHub URLs are used.
-func WithEnterpriseURLs(baseURL, uploadURL string) InstallationTokenSourceOpt {
+// If the provided base URL is invalid, the option is ignored and default GitHub base URL is used.
+func WithEnterpriseURL(baseURL string) InstallationTokenSourceOpt {
 	return func(i *installationTokenSource) {
-		enterpriseClient, err := i.client.WithEnterpriseURLs(baseURL, uploadURL)
+		enterpriseClient, err := i.client.withEnterpriseURL(baseURL)
 		if err != nil {
 			return
 		}
@@ -182,8 +181,8 @@ type installationTokenSource struct {
 	id     int64
 	ctx    context.Context
 	src    oauth2.TokenSource
-	client *github.Client
-	opts   *github.InstallationTokenOptions
+	client *githubClient
+	opts   *InstallationTokenOptions
 }
 
 // NewInstallationTokenSource creates a GitHub App installation token source.
@@ -193,7 +192,7 @@ type installationTokenSource struct {
 // token regeneration. Don't worry about wrapping the result again since ReuseTokenSource
 // prevents re-wrapping automatically.
 //
-// See https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token
+// See https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app
 func NewInstallationTokenSource(id int64, src oauth2.TokenSource, opts ...InstallationTokenSourceOpt) oauth2.TokenSource {
 	ctx := context.Background()
 
@@ -207,7 +206,7 @@ func NewInstallationTokenSource(id int64, src oauth2.TokenSource, opts ...Instal
 		id:     id,
 		ctx:    ctx,
 		src:    src,
-		client: github.NewClient(httpClient),
+		client: newGitHubClient(httpClient),
 	}
 
 	for _, opt := range opts {
@@ -219,15 +218,15 @@ func NewInstallationTokenSource(id int64, src oauth2.TokenSource, opts ...Instal
 
 // Token generates a new GitHub App installation token for authenticating as a GitHub App installation.
 func (t *installationTokenSource) Token() (*oauth2.Token, error) {
-	token, _, err := t.client.Apps.CreateInstallationToken(t.ctx, t.id, t.opts)
+	token, err := t.client.createInstallationToken(t.ctx, t.id, t.opts)
 	if err != nil {
 		return nil, err
 	}
 
 	return &oauth2.Token{
-		AccessToken: token.GetToken(),
+		AccessToken: token.Token,
 		TokenType:   bearerTokenType,
-		Expiry:      token.GetExpiresAt().Time,
+		Expiry:      token.ExpiresAt,
 	}, nil
 }
 

auth_test.go

@@ -12,7 +12,6 @@ import (
 	"time"
 
 	jwt "github.com/golang-jwt/jwt/v5"
-	"github.com/google/go-github/v74/github"
 	"golang.org/x/oauth2"
 )
 
@@ -161,18 +160,16 @@ func Test_installationTokenSource_Token(t *testing.T) {
 	mockedHTTPClient, cleanupSuccess := newMockedHTTPClient(
 		withRequestMatch(
 			postAppInstallationsAccessTokensByInstallationID,
-			github.InstallationToken{
-				Token: github.Ptr("mocked-installation-token"),
-				ExpiresAt: &github.Timestamp{
-					Time: expiration,
+			InstallationToken{
+				Token:     "mocked-installation-token",
+				ExpiresAt: expiration,
+				Permissions: &InstallationPermissions{
+					PullRequests: ptr("read"),
 				},
-				Permissions: &github.InstallationPermissions{
-					PullRequests: github.Ptr("read"),
-				},
-				Repositories: []*github.Repository{
+				Repositories: []Repository{
 					{
-						Name: github.Ptr("mocked-repo-1"),
-						ID:   github.Ptr(int64(1)),
+						Name: ptr("mocked-repo-1"),
+						ID:   ptr(int64(1)),
 					},
 				},
 			},
@@ -217,7 +214,7 @@ func Test_installationTokenSource_Token(t *testing.T) {
 				id:  1,
 				src: appSrc,
 				opts: []InstallationTokenSourceOpt{
-					WithInstallationTokenOptions(&github.InstallationTokenOptions{}),
+					WithInstallationTokenOptions(&InstallationTokenOptions{}),
 					WithHTTPClient(errMockedHTTPClient),
 				},
 			},
@@ -229,9 +226,9 @@ func Test_installationTokenSource_Token(t *testing.T) {
 				id:  1,
 				src: appSrc,
 				opts: []InstallationTokenSourceOpt{
-					WithInstallationTokenOptions(&github.InstallationTokenOptions{}),
+					WithInstallationTokenOptions(&InstallationTokenOptions{}),
 					WithContext(context.Background()),
-					WithEnterpriseURLs("https://github.example.com", "https://github.example.com"),
+					WithEnterpriseURL("https://github.example.com"),
 					WithHTTPClient(mockedHTTPClient),
 				},
 			},

github.go

@@ -0,0 +1,157 @@
+package githubauth
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"time"
+)
+
+const (
+	// defaultBaseURL is the default GitHub API base URL.
+	defaultBaseURL = "https://api.github.com/"
+)
+
+// InstallationTokenOptions specifies options for creating an installation token.
+type InstallationTokenOptions struct {
+	// Repositories is a list of repository names that the token should have access to.
+	Repositories []string `json:"repositories,omitempty"`
+	// RepositoryIDs is a list of repository IDs that the token should have access to.
+	RepositoryIDs []int64 `json:"repository_ids,omitempty"`
+	// Permissions are the permissions granted to the access token.
+	Permissions *InstallationPermissions `json:"permissions,omitempty"`
+}
+
+// InstallationPermissions represents the permissions granted to an installation token.
+type InstallationPermissions struct {
+	Actions                         *string `json:"actions,omitempty"`
+	Administration                  *string `json:"administration,omitempty"`
+	Checks                          *string `json:"checks,omitempty"`
+	Contents                        *string `json:"contents,omitempty"`
+	ContentReferences               *string `json:"content_references,omitempty"`
+	Deployments                     *string `json:"deployments,omitempty"`
+	Environments                    *string `json:"environments,omitempty"`
+	Issues                          *string `json:"issues,omitempty"`
+	Metadata                        *string `json:"metadata,omitempty"`
+	Packages                        *string `json:"packages,omitempty"`
+	Pages                           *string `json:"pages,omitempty"`
+	PullRequests                    *string `json:"pull_requests,omitempty"`
+	RepositoryAnnouncementBanners   *string `json:"repository_announcement_banners,omitempty"`
+	RepositoryHooks                 *string `json:"repository_hooks,omitempty"`
+	RepositoryProjects              *string `json:"repository_projects,omitempty"`
+	SecretScanningAlerts            *string `json:"secret_scanning_alerts,omitempty"`
+	Secrets                         *string `json:"secrets,omitempty"`
+	SecurityEvents                  *string `json:"security_events,omitempty"`
+	SingleFile                      *string `json:"single_file,omitempty"`
+	Statuses                        *string `json:"statuses,omitempty"`
+	VulnerabilityAlerts             *string `json:"vulnerability_alerts,omitempty"`
+	Workflows                       *string `json:"workflows,omitempty"`
+	Members                         *string `json:"members,omitempty"`
+	OrganizationAdministration      *string `json:"organization_administration,omitempty"`
+	OrganizationCustomRoles         *string `json:"organization_custom_roles,omitempty"`
+	OrganizationAnnouncementBanners *string `json:"organization_announcement_banners,omitempty"`
+	OrganizationHooks               *string `json:"organization_hooks,omitempty"`
+	OrganizationPlan                *string `json:"organization_plan,omitempty"`
+	OrganizationProjects            *string `json:"organization_projects,omitempty"`
+	OrganizationPackages            *string `json:"organization_packages,omitempty"`
+	OrganizationSecrets             *string `json:"organization_secrets,omitempty"`
+	OrganizationSelfHostedRunners   *string `json:"organization_self_hosted_runners,omitempty"`
+	OrganizationUserBlocking        *string `json:"organization_user_blocking,omitempty"`
+	TeamDiscussions                 *string `json:"team_discussions,omitempty"`
+}
+
+// InstallationToken represents a GitHub App installation token.
+type InstallationToken struct {
+	Token        string                   `json:"token"`
+	ExpiresAt    time.Time                `json:"expires_at"`
+	Permissions  *InstallationPermissions `json:"permissions,omitempty"`
+	Repositories []Repository             `json:"repositories,omitempty"`
+}
+
+// Repository represents a GitHub repository.
+type Repository struct {
+	ID   *int64  `json:"id,omitempty"`
+	Name *string `json:"name,omitempty"`
+}
+
+// githubClient is a simple GitHub API client for creating installation tokens.
+type githubClient struct {
+	baseURL *url.URL
+	client  *http.Client
+}
+
+// newGitHubClient creates a new GitHub API client.
+func newGitHubClient(httpClient *http.Client) *githubClient {
+	baseURL, _ := url.Parse(defaultBaseURL)
+
+	return &githubClient{
+		baseURL: baseURL,
+		client:  httpClient,
+	}
+}
+
+// withEnterpriseURL sets the base URL for GitHub Enterprise Server.
+func (c *githubClient) withEnterpriseURL(baseURL string) (*githubClient, error) {
+	base, err := url.Parse(baseURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse base URL: %w", err)
+	}
+
+	c.baseURL = base
+
+	return c, nil
+}
+
+// createInstallationToken creates an installation access token for a GitHub App.
+// API documentation: https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app
+func (c *githubClient) createInstallationToken(ctx context.Context, installationID int64, opts *InstallationTokenOptions) (*InstallationToken, error) {
+	endpoint := fmt.Sprintf("app/installations/%d/access_tokens", installationID)
+	u, err := c.baseURL.Parse(endpoint)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse endpoint URL: %w", err)
+	}
+
+	var body io.Reader
+	if opts != nil {
+		jsonBody, err := json.Marshal(opts)
+		if err != nil {
+			return nil, fmt.Errorf("failed to marshal request body: %w", err)
+		}
+		body = bytes.NewReader(jsonBody)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, u.String(), body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	req.Header.Set("Accept", "application/vnd.github+json")
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := c.client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		return nil, fmt.Errorf("GitHub API returned status %d: %s", resp.StatusCode, string(bodyBytes))
+	}
+
+	var token InstallationToken
+	if err := json.NewDecoder(resp.Body).Decode(&token); err != nil {
+		return nil, fmt.Errorf("failed to decode response: %w", err)
+	}
+
+	return &token, nil
+}
+
+// ptr is a helper function to create a pointer to a value.
+func ptr[T any](v T) *T {
+	return &v
+}

go.mod

@@ -4,8 +4,5 @@ go 1.25
 
 require (
 	github.com/golang-jwt/jwt/v5 v5.3.0
-	github.com/google/go-github/v74 v74.0.0
 	golang.org/x/oauth2 v0.32.0
 )
-
-require github.com/google/go-querystring v1.1.0 // indirect

go.sum

@@ -1,12 +1,4 @@
 github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
 github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-github/v74 v74.0.0 h1:yZcddTUn8DPbj11GxnMrNiAnXH14gNs559AsUpNpPgM=
-github.com/google/go-github/v74 v74.0.0/go.mod h1:ubn/YdyftV80VPSI26nSJvaEsTOnsjrxG3o9kJhcyak=
-github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
-github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
 golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=