App auth broken in v5.8.0

[ederst]

What happened?

We use app_auth as method to authenticate against our GHE and since we've upgraded to v5.8.0 this produces an authentication error. For example:

Exception: invoke of github:index/getRepository:getRepository failed: invocation of github:index/getRepository:getRepository returned an error: invoking github:index/getRepository:getRepository: GET https://<ghe-instance>/api/v3/repos/<owner>/<repo>: 401 Must authenticate to access this API. []

It seems to affect resources and functions alike.

When downgrading to the previous version (v5.7.0) it works.

Expected Behavior

The expected behavior is that with a github provider using app_auth it should be possible to access the GH(E) API.

Steps to reproduce

I have coded a sample app to reproduce: https://github.com/ederst/pulumi-in-a-pickle/tree/github-provider-app-auth

Note that this also includes a Terraform version of the Pulumi app, using the terraform-github provider this provider is based on. However, using app auth with the Terraform provider still works - tested v5.20.0 (used in v5.7.0), v5.23.0 (used in v5.8.0), and v5.25.0.

Additional context

What I also noticed is that, setting the pem_file to any invalid value - a path, or a random string - does not produce the error: no decodeable PEM data found error as described in #348.

I also glanced at the "changelog" (v5.7.0...v5.8.0 ) but have not found anything so far.

Edit: What also works is setting the environment variables and just initializing the app auth args with empty values:

export GITHUB_APP_ID=
export GITHUB_APP_INSTALLATION_ID=
export GITHUB_APP_PEM_FILE=

    app_auth=github.ProviderAppAuthArgs(
        id="",
        installation_id="",
        pem_file="",
    ),

So by the looks of it the app auth is not set correctly by the pulumi provider.

Output of pulumi about

CLI
Version      3.66.0
Go Version   go1.20.4
Go Compiler  gc

Plugins
NAME    VERSION
github  5.8.0
python  unknown

Host
OS       darwin
Version  13.3.1
Arch     arm64

This project is written in python: executable='/Playground/pulumi-stuff/test-github-provider/.venv/bin/python3' version='3.11.3
'

Current Stack: test-github-provider/dev

TYPE                          URN
pulumi:pulumi:Stack           urn:pulumi:dev::test-github-provider::pulumi:pulumi:Stack::test-github-provider-dev
pulumi:providers:pulumi       urn:pulumi:dev::test-github-provider::pulumi:providers:pulumi::default
pulumi:pulumi:StackReference  urn:pulumi:dev::test-github-provider::pulumi:pulumi:StackReference::common-config-stack
pulumi:providers:github       urn:pulumi:dev::test-github-provider::pulumi:providers:github::github-provider


Found no pending operations associated with dev

Backend
<redacted>

Dependencies:
NAME                  VERSION
pip                   23.0.1
pulumi-github         5.8.0
setuptools            67.4.0
test-github-provider  0.1.0
wheel                 0.38.4

Pulumi locates its logs in /var/folders/5b/dd8bgp9178s13b8bm4g7vhs40000gn/T/ by default

Contributing

No response

[guineveresaenger]

Hi @ederst - thank you so much for this very thorough issue ❤️ . Thank you also for providing workarounds, though of course we understand they aren't a solution.

We will take a look as soon as we can.

[guineveresaenger]

Hi @ederst - this should be fixed via #355. We'll cut a new release as soon as that's merged.

Do please re-open this ticked if your issues persist.

[ederst]

Hi @ederst - this should be fixed via #355. We'll cut a new release as soon as that's merged.

Do please re-open this ticked if your issues persist.

Will test ASAP

Edit: Can confirm: app auth works again with v5.9.0; thanks for the fast response and fix