Add option to publish image-info using GitHub App installation auth rather than account PAT

[dagood]

Policies around bot accounts and PATs are changing, and for the Microsoft build of Go, we're migrating to GitHub Apps.

For our Go infra tasks, what this looks like is moving to either accept a user PAT or app client id + installation + private key (cert).

Has this been considered for docker-tools image-info updates?

If the plan is to keep using an account indefinitely, I think we could work around this without diverging eng/common by disabling built-in image-info publish and adding another stage that runs our own code to do the publish.

[lbussell]

Related: https://github.com/dotnet/dotnet-docker-internal/issues/7468

[lbussell]

To give more context - we aren't prioritizing migrating our bot right now, but I'd be happy to accept contributions in this space if we can agree on a solution. Splitting up the generating and publishing of ImageArtifactDetails files doesn't sound like a bad idea to me.

If we were to build-in support for GitHub apps, the biggest thing to consider is that GH Apps can't own forks. So it's important for branch protection policies to be in place so they can't push directly to important branches (main, nightly in our case). That doesn't really apply to publishing image-info, so perhaps we don't even need many changes to support your scenario.

[dagood]

@gdams is planning to take a look at this and figure out if it makes sense for us to try to contribute to the .NET code or go with the new-stage approach. (Our internal tracking issue: https://github.com/microsoft/go-lab/issues/183.)

If we were to build-in support for GitHub apps, the biggest thing to consider is that GH Apps can't own forks. So it's important for branch protection policies to be in place so they can't push directly to important branches (main, nightly in our case).

Yeah, we're facing this dilemma for our Azure Linux PR automation, which is maybe more contentious because we don't own the repo. (At least, I think it should be contentious. 😄) Perhaps we still need to have a bot account to host the fork, but all automation goes through the app, installed on the fork/user, rather than a PAT. I'm not 100% sure the app permission model allows for all of this, though.

But also yes, image-info updates are direct pushes to repos we own (and I don't see an issue with this), so it's only something to consider for migrating other bot-driven stuff.

[lbussell]

[Triage] @gdams or @dagood, please provide an update when you figure out if it makes sense to contribute to the .NET code for your situation. I've assigned the issue accordingly.