jobs/index/archive: Authenticate archive push via GitHub App (#13489)

Author: Turbo87

Cargo.lock

@@ -79,6 +79,7 @@ crates_io_docs_rs = { path = "crates/crates_io_docs_rs" }
 crates_io_env_vars = { path = "crates/crates_io_env_vars" }
 crates_io_fastly = { path = "crates/crates_io_fastly" }
 crates_io_github = { path = "crates/crates_io_github" }
+crates_io_github_app = { path = "crates/crates_io_github_app" }
 crates_io_index = { path = "crates/crates_io_index" }
 crates_io_linecount = { path = "crates/crates_io_linecount" }
 crates_io_markdown = { path = "crates/crates_io_markdown" }
@@ -155,6 +156,7 @@ utoipa-axum = "=0.2.0"
 bytes = "=1.11.1"
 crates_io_docs_rs = { path = "crates/crates_io_docs_rs", features = ["mock"] }
 crates_io_github = { path = "crates/crates_io_github", features = ["mock"] }
+crates_io_github_app = { path = "crates/crates_io_github_app", features = ["mock"] }
 crates_io_index = { path = "crates/crates_io_index", features = ["testing"] }
 crates_io_tarball = { path = "crates/crates_io_tarball", features = ["builder"] }
 crates_io_team_repo = { path = "crates/crates_io_team_repo", features = ["mock"] }

Cargo.toml

@@ -0,0 +1,31 @@
+[package]
+name = "crates_io_github_app"
+version = "0.0.0"
+license = "MIT OR Apache-2.0"
+edition = "2024"
+
+[lints]
+workspace = true
+
+[features]
+mock = ["dep:mockall"]
+
+[dependencies]
+anyhow = "=1.0.102"
+async-trait = "=0.1.89"
+chrono = { version = "=0.4.44", features = ["serde"] }
+jsonwebtoken = { version = "=10.3.0", features = ["aws_lc_rs"] }
+mockall = { version = "=0.14.0", optional = true }
+reqwest = { version = "=0.13.3", features = ["json"] }
+secrecy = { version = "=0.10.3", features = ["serde"] }
+serde = { version = "=1.0.228", features = ["derive"] }
+tokio = { version = "=1.52.1", features = ["sync"] }
+tracing = "=0.1.44"
+url = "=2.5.8"
+
+[dev-dependencies]
+claims = "=0.8.0"
+clap = { version = "=4.6.1", features = ["derive", "env"] }
+insta = "=1.47.2"
+mockito = "=1.7.2"
+tokio = { version = "=1.52.1", features = ["macros", "rt-multi-thread"] }

crates/crates_io_github_app/Cargo.toml

@@ -0,0 +1,10 @@
+# crates_io_github_app
+
+Mints installation access tokens for a GitHub App, used by the
+background worker to authenticate HTTPS pushes to the archive index
+repository.
+
+The `GitHubApp` trait abstracts the HTTP interaction for testing. The
+`GitHubAppClient` struct is the actual implementation that signs a JWT
+with the app's private key, resolves the installation id once, and caches
+the minted installation access token until shortly before its expiry.

crates/crates_io_github_app/README.md

@@ -0,0 +1,35 @@
+use anyhow::Context;
+use clap::Parser;
+use crates_io_github_app::{GitHubApp, GitHubAppClient};
+use secrecy::{ExposeSecret, SecretString};
+use url::Url;
+
+#[derive(Debug, Parser)]
+#[command(about = "Prints a fresh installation access token for the configured GitHub App.")]
+struct Opts {
+    #[arg(long, env = "GH_INDEX_SYNC_APP_CLIENT_ID")]
+    client_id: String,
+
+    #[arg(long, env = "GH_INDEX_SYNC_APP_PRIVATE_KEY", hide_env_values = true)]
+    private_key: SecretString,
+
+    #[arg(long, env = "GIT_ARCHIVE_REPO_URL")]
+    archive_url: Url,
+}
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+    let opts = Opts::parse();
+
+    let org = opts
+        .archive_url
+        .path_segments()
+        .and_then(|mut segments| segments.next())
+        .filter(|segment| !segment.is_empty())
+        .context("archive URL is missing the org path segment")?;
+
+    let app = GitHubAppClient::new(&opts.client_id, opts.private_key.expose_secret(), org)?;
+    let token = app.installation_token().await?;
+    println!("{}", token.expose_secret());
+    Ok(())
+}