Add support for Github App Authentication

[petracvv]

Description

This PR adds support for using Github App authentication at either the Org level or Repository level. To avoid adding dependencies on another interpreted language, I opted to implement the JWT signing and token retrieval in shell based on Github's docs and some helpful stack overflow articles.

The documentation update is only a minor edit of (https://github.com/actions-runner-controller/actions-runner-controller#deploying-using-github-app-authentication). I wasn't exactly certain how to attribute that (I added a section to the Credits section of the README) so any advice there is welcome.

If this PR is accepted, I plan on making one to the Helm chart to support this as well.

Related Issue(s)

There is no related issue in this repository; however there is one in the Helm Chart repository (redhat-actions/openshift-actions-runner-chart#4).

I guess I should have opened an issue here as well. Hopefully it's not too onerous to have the discussion in the PR instead.

Checklist

• This PR includes a documentation change
• This PR does not need a documentation change

---

• This PR includes test changes (I didn't see any functionality tests)
• This PR's changes are already tested

---

• This change is not user-facing
• This change is a patch change
• This change is a minor change
• This change is a major (breaking) change

Changes made

An overview of the changes:

• Added support for GITHUB_APP_ID, GITHUB_APP_INSTALL_ID, and GITHUB_APP_PEM environmental variables
• Added a get_github_app_token sh function to authenticate and retrieve a token tied to a Github App.
• Updated the registration script to support authentication using the Github App method. If both Github App and PAT credentials are available, registration will prefer Github App authentication. Added a sh function for unregistration via github app auth.
• Updated the entrypoint.sh to register the correct unregistration function and to detect if github app authentication is present.
• Updated the Containerfile for the new environment variables and to pull in the new sh function and dependency (openssl)

Questions

I had a question about why you are using /bin/sh in all your registration scripts since /bin/bash is available in the Fedora image the runner is based on. I was unable to use process redirection ( <() ) in my github app token function because that is a bash-specific feature but the workaround (dumping credentials to a tmp directory then removing it) is not ideal. Would switching to /bin/bash be reasonable?

Otherwise please let me know if I can improve anything with this implementation or if you think it's better to just use a python script instead of shell for the JWT generation ( I have a version of this locally with a python implementation too).

[tetchel]

This is amazing! I will take some time this week to test it out.

[tetchel]

This is awesome. All these reviews are fairly minor because I am excited to get this in.

Thank you especially for documenting this change so well. Even if it is just adopted from elsewhere.

[petracvv]

Ok. I think I got everything you wanted. Let me know if I missed anything!

[petracvv]

One thing I'm noticing is your markdown link checker in your tests is failing on the placeholder links for creating the github app with the appropriate permissions. Is there a way to add exceptions to that?

[tetchel]

https://github.com/gaurav-nelson/github-action-markdown-link-check#disable-check-for-some-links

[petracvv]

Great! Thanks for the merge.

[tetchel]

I've released v1.2 with this change in (for the chart, it's v1.1), and rolled forward v1 to include it too.

[petracvv]

Awesome! Thanks for all your help with reviews.

[tetchel]

thank you for the best unsolicited contribution we've had so far! :)