Dev_helpers/Coding/Version_control/GitHub/Apps/github_apps.saas.txt


                                  ┏━━━━━━━━━━━━━━━━━┓
                                  ┃   GITHUB_APPS   ┃
                                  ┗━━━━━━━━━━━━━━━━━┛

GOAL ==>                          #  - get API token (IAT|UAT) to call GitHub API
                                  #  - trigger webhooks on GitHub events

OAUTH APPS ==>                    #Deprecated older version of GitHub apps
                                  #Can only use UAT, not IAT
                                  #Not documented

GITHUB MAIN|API|CLI|WEBHOOKS
 |ACTIONS ==>                     #See other GitHub docs

API METHODS ==>                   #IAT|UAT cannot call every GitHub API endpoint. See online doc

SUMMARY ==>                       #App: CRUD
                                  #Install: URL|UI|Marketplace, ORG|USER, REPO selection, suspend, SETUP_URL
                                  #Webhooks: CALLBACK_URL, events, secret
                                  #Auth: APP_JWT, Basic, IAT, web|device UAT, cache, expiration|refresh, scoped token
                                  #Permissions: APP_PERMISSION|TOKEN_PERMISSIONs, single files, REPO selection
                                  #Keys: APP_PRIVATE_KEY, CLIENT_ID, CLIENT_SECRET
                                  #Clients: Octokit, Node|Deno|Lambda middleware
                                  #Marketplace: description, requirements, verification, insights, webhooks
                                  #Marketplace plans: free trial, per-seat, 5% cut, monthly|yearly
                                  #Probot: configuration, production|dev webhooks server, logging, scaffold|create app

                                  ┌────────────────┐
                                  │   APP CREATE   │
                                  └────────────────┘

POST [/organizations/ORG]         #Create (not install) app from URL
 /settings/apps/new               #Can also be done|edited from UI
                                  #  - can edit MANIFEST.name
REQ.manifest                      #"MANIFEST_JSON"
REQ.state                         #'STATE'. Like OAuth

GET [/organizations/ORG]          #Same but:
 /settings/apps/new               #  - use ?VAR instead of REQ.manifest
                                  #  - does not call GET MCALLBACK_URL
?state=STATE                      #

GET MCALLBACK_URL                 #Called after POST /settings/apps/new
?code=CODE                        #
?state=STATE                      #

POST                              #Must be called after GET MCALLBACK_URL
 /app-manifests/CODE/conversions  #Returns XAPP_F

                                  ┌──────────────────┐
                                  │   APP MANIFEST   │
                                  └──────────────────┘

?name
XAPP|MANIFEST.name                #STR. UI display name
?url
XAPP.external_url
MANIFEST.url                      #'URL'. Homepage
?description
XAPP|MANIFEST.description         #STR

MANIFEST.redirect_url             #"MCALLBACK_URL"

?callback_urls
MANIFEST.callback_urls            #"CALLBACK_URL"_ARR (e.g. one per environment)

?setup_url                        #"SETUP_URL", redirected on after installation (or on update)
MANIFEST.setup_url                #Meant for docs
?setup_on_update
MANIFEST.setup_on_update          #BOOL (def: false). Redirect to SETUP_URL also when app is being updated

?APP_PERMISSION
XAPP.permissions.APP_PERMISSION   #
MANIFEST.default_permissions      #STR
 .APP_PERMISSION                  #Changing permissions must be approved by ORG|USER (depending on permission)
?request_oauth_on_install
MANIFEST.request_oauth_on_install #BOOL (def: false). Ask to both "install" and "authorize"

?webhook_active                   #BOOL (def: false). Trigger webhooks
MANIFEST.hook_attributes.active   #See GitHub webhooks doc
                                  #  - including PAYLOAD.installation, XWEBHOOK_DELIVERY.installation_id
?webhook_url
MANIFEST.hook_attributes.url      #"WEBHOOK_URL". Uses POST. Prefer https
?events
XAPP.events
MANIFEST.default_events           #"WEBHOOK_EVENT"_ARR (def: all) to trigger webhooks on

?public
MANIFEST.public                   #BOOL (def: true)

                                  ┌─────────────┐
                                  │   APP GET   │
                                  └─────────────┘

GET /app                          #Must authenticate with APP_JWT
GET /apps/APP                     #

XAPP.id                           #'APP_ID'
                                  #ID of app, secret
XAPP.slug                         #'APP'
XAPP.node_id                      #'BASE64'

XAPP_F.pem                        #'APP_PRIVATE_KEY'. App secret
                                  #PEM format (PKCS#1 RSAPrivateKey)
                                  #Not stored by GitHub, i.e. only shown once
XAPP[_F].client_id                #'CLIENT_ID'. OAuth CLIENT_ID, public
                                  #Can get from app settings UI
XAPP_F.client_secret              #'CLIENT_SECRET'. OAuth CLIENT_SECRET, private
                                  #Can get from app settings UI
XAPP_F.webhook_secret             #'WEBHOOK_SECRET'. App secret, meant to authenticate webhook requests

XAPP.owner                        #USER
XAPP.html_url                     #'URL' to GitHub repository
XAPP.created_at|updated_at        #'DATE'

                                  ┌──────────────────┐
                                  │   INSTALL MAIN   │
                                  └──────────────────┘

GET /apps/APP/installations/new   #Install an APP from a URL
                                  #Alternatives:
                                  #  - install from UI, for dev
                                  #  - marketplace
?state=STATE                      #

GET /user/installations           #Must authenticate with UAT
GET /app/installations            #Must authenticate with APP_JWT
GET OORG|RREPO|UUSER/installations#Must authenticate with APP_JWT
GET|DELETE /app/installations
 /INSTALLATION_ID                 #Must authenticate with APP_JWT
XINSTALLATION.id                  #INSTALLATION_ID
XINSTALLATION.account             #USER
XINSTALLATION.app_id              #APP_ID
XINSTALLATION.client_id           #'CLIENT_ID'
XINSTALLATION.app_slug            #'APP'
XINSTALLATION.target_id           #ORG_ID|REPO_ID
XINSTALLATION.target_type         #'Organization|Repository'
XINSTALLATION.events              #Like XAPP.*
XINSTALLATION.contact_email       #'EMAIL'|null
XINSTALLATION
 .created_at|updated_at           #'DATE'

XINSTALLATION
 .permissions.TOKEN_PERMISSION    #Like XAPP.*
XINSTALLATION.single_file_name    #'PATH'|null. Permission on single file only
XINSTALLATION.single_file_paths   #Same but with 'PATH'_ARR|null
XINSTALLATION
 .has_multiple_single_files       #BOOL. Whether single_file_paths used

XINSTALLATION.html_url
/organizations/github/settings
 /installations/INSTALLATION_ID   #App URL in the UI

installation.created|deleted      #Webhook SUBEVENT. GitHub app [un]install
PAYLOAD.repository                #REPO which installed it
PAYLOAD.repositories              #REPO_ARR from XINSTALLATION.repository_selection
PAYLOAD.requester                 #USER|ORG|null

                                  ┌─────────────────────┐
                                  │   INSTALL SUSPEND   │
                                  └─────────────────────┘

PUT|DELETE /app/installations     #[Un]pause APP. No permissions when paused
 /INSTALLATION_ID/suspended       #Empty RES
                                  #Must authenticate with APP_JWT
XINSTALLATION.suspended_at        #'DATE'|null
XINSTALLATION.suspended_by        #USER|null

installation.[un]suspend          #Webhook SUBEVENT
PAYLOAD.repository|repositories
 |requester                       #Same as above

                                  ┌─────────────────┐
                                  │   INSTALL ORG   │
                                  └─────────────────┘

ORG INSTALLATION ==>              #Instead of a REPO, can be installed for an ORG
                                  #By either:
                                  #  - ORG owner
                                  #  - users with "GitHub app manager" role on specific app
                                  #     - can edit but not install|uninstall app

GET /app/installation-requests    #Pending INSTALLATIONs, i.e. ORG users requesting ORG owners
XINSTALLATION_REQUEST.id          #INSTALLATION_ID
XINSTALLATION_REQUEST.requester   #USER
XINSTALLATION_REQUEST.created_at  #'DATE'

                                  ┌──────────────────────────┐
                                  │   INSTALL REPOSITORIES   │
                                  └──────────────────────────┘

XINSTALLATION.repository_selection#'all|selected'. If 'selected', restricted to specific REPOs

PUT|DELETE /user/installations
 /INSTALLATION_ID/repositories    #Add|remove a REPO to an APP installation
 /REPO_ID                         #Empty RES

XINSTALLATION.repositories_url    #REPO_ARR using this APP installation
GET /installations/repositories   #Must authenticate with IAT

GET /user/installations           #REPO_ARR using this APP installation
 /INSTALLATION_ID/repositories    #Must authenticate with UAT

installation_repositories
 .added|removed                   #Webhook SUBEVENT. Adding|removing more REPOs to a GitHub app installation
PAYLOAD.repository                #REPO
PAYLOAD.repository_selection      #'all|selected' like XINSTALLATION.repository_selection
PAYLOAD.requester                 #USER|ORG|null
PAYLOAD.repository_added|removed  #CHANGED_REPO_ARR
CHANGED_REPO.id                   #NUM
CHANGED_REPO.node_id              #'NODE_ID'
CHANGED_REPO.name                 #STR
CHANGED_REPO.full_name            #STR
CHANGED_REPO.private              #BOOL. Whether REPO is private

installation_target               #Webhook SUBEVENT. Renamed USER|ORG using a GitHub app
PAYLOAD.changes.login|slug.from   #STR
PAYLOAD.target_type               #'User|Organization'
PAYLOAD.account                   #ACCOUNT

                                  ┌───────────────────────────┐
                                  │   APP CLIENT HIGH-LEVEL   │
                                  └───────────────────────────┘

@octokit/octokit
App
createNodeMiddleware(...)         #Forward to @octokit/app

@octokit/app                      #Version 15.1.5
                                  #Node
                                  #Deno, except createNodeMiddleware()
                                  #Browsers too, but secrets should not be exposed to client code

new App(OOPTS)                    #OAPP
App.defaults(OOPTS)->App          #

OAPP|OOPTS.log                    #LOGS_OBJ

OAPP.octokit
WEVENT.octokit
OAPP.getInstallationOctokit
 (INSTALLATION_ID)->>OCORE        #OCORE
OOPTS.Octokit                     #CLASS (def: @octokit/core Octokit)

OAPP.oauth                        #YAPP
OOPTS.oauth                       #YOPTS

OAPP.webhooks                     #WHOOKS from @octokit/webhooks
OOPTS.webhooks.secret             #'WEBHOOK_SECRET'

OAPP.getInstallationUrl([OPTS])   #Install an APP from a URL, by returning '.../apps/APP/installations/new'
 ->>'URL'                         #OPTS:
                                  #  - target_id ORG_ID|REPO_ID:
                                  #     - limit to only a specific ORG|REPO which can install
                                  #     - returns '.../permissions?target_id=ORG_ID|REPO_ID'
                                  #  - state OBJ: query variable ?state

OAPP.eachInstallation()           #Iterate over all INSTALLATIONs of the APP, using GET /app/installations
 ->OBJ_ASYNC_ITERABLE             #OBJ: installation XINSTALLATION, octokit OCORE (using getInstallationOctokit())

OAPP.eachRepository([OPTS])       #Iterate over all REPOs using the APP, using GET /installations/repositories
 ->OBJ_ASYNC_ITERABLE             #OBJ: repository XREPO, octokit OCORE (using getInstallationOctokit())
                                  #OPTS: installationId INSTALLATION_ID (def: all)

OAPP.createNodeMiddleware([OPTS]) #Combines createNodeMiddleware() of @octokit/oauth-app + @octokit/webhooks
 ->FUNC(REQ, RES[, FUNC2])        #If no FUNC2 and URL does not match, 404 with { error: 'Unknown route: HTTP_METHOD /PATH' }
OPTS.log                          #LOGS_OBJ
OPTS.pathPrefix                   #'/PATH' (def: '/api/github'). Appended with /oauth|webhooks

                                  ┌──────────────────────────┐
                                  │   APP CLIENT LOW-LEVEL   │
                                  └──────────────────────────┘

@octokit/octokit
OAuthApp                          #Forward to @octokit/oauth-app

@octokit/oauth-app                #Version 7.1.6
                                  #Node/Deno
                                  #Browsers too, but secrets should not be exposed to client code

new OAuthApp(YOPTS)               #YAPP
OAuthApp.defaults(YOPTS)->OAuthApp#

YOPTS.log                         #LOGS_OBJ

YAPP.octokit                      #OCORE
YOPTS.Octokit                     #Octokit (from @octokit/core)

YAPP.on('YEVENT[.YSUBEVENT]',
 FUNC(YPAYLOAD))                  #
YPAYLOAD.name                     #'YEVENT'
YPAYLOAD.action                   #'YSUBEVENT'
YPAYLOAD.authentication           #UAT_INFO
                                  #undefined with YEVENT token|authorization.deleted
YPAYLOAD.token                    #'ACCESS_TOKEN'
YPAYLOAD.octokit                  #OCORE

                                  ┌─────────────────┐
                                  │   AUTH COMMON   │
                                  └─────────────────┘

octokit-auth-probot               #Version 3.1.0
                                  #Node/Deno/browsers (like below)
createProbotAuth(BBOPTS)->BAPP    #Forwards to either:
BAPP(BOPTS)->>OCORE               #  - TAPP: if BBOPTS.token 'TOKEN'
                                  #  - AAPP:
                                  #     - if BBOPTS.appId|privateKey used
                                  #     - if BOPTS.type 'event-octokit':
                                  #        - uses AOPTS.type 'installation' (IAT)
                                  #        - finds INSTALLATION_ID from BOPTS.event WEVENT
                                  #           - using WEVENT.event.payload.installation.id
                                  #        - if EVENT 'installation.suspend|deleted', use ZAPP instead
                                  #  - ZAPP otherwise
                                  #Unlike other *APP, returns OCORE, not *_INFO
BBOPTS.octokit                    #Octokit
BBOPTS.octokitOptions             #KOPTS

@octokit/app
OAPP.octokit                      #Automatically authenticated with APP_JWT, Basic auth, IAT, UAT by using:
OAPP.oauth                        #  - KOPTS.authStrategy createAppAuth
                                  #  - KOPTS.auth: appId|privateKey OOPTS.*, clientId|clientSecret OOPTS.oauth.*
WEVENT.octokit
OAPP.getInstallationOctokit
 (INSTALLATION_ID)->>OCORE        #Automatically authenticated with IAT by using KOPTS.authStrategy createAppAuth

@octokit/auth-app                 #Version 7.1.5
                                  #Node/Deno
                                  #Handles APP_JWT, Basic auth, IAT, UAT
createAppAuth(AAOPTS)->AAPP       #
AAPP(AOPTS)->>JWT_INFO|BASIC_INFO
 |INSTALL_INFO|UAT_INFO           #
OOPTS|AAOPTS.appId|privateKey     #Required, even if not used by the specific flow
AAOPTS.log                        #LOGS_OBJ
                                  #Used to log time skew errors, or HTTP retries

@octokit/oauth-app
YAPP.octokit                      #Automatically authenticates with UAT by using:
                                  #  - KOPTS.authStrategy createOAuthAppAuth
                                  #  - KOPTS.auth: clientType|clientId|clientSecret YOPTS.*
YAPP.createToken(UOPTS)->>OBJ     #Forwards to @octokit/auth-oauth-user UAPP(UOPTS)
                                  #Returns { authentication: UAT_INFO }
YAPP.getUserOctokit(UOPTS)->>OCORE#Authenticated with UAT, using @octokit/auth-oauth-user UAPP(UOPTS)
YEVENT token.created              #

@octokit/auth-oauth-app           #Version 8.1.3
                                  #Node/Deno
                                  #Handles APP_JWT, UAT
createOAuthAppAuth(PPOPTS)->PAPP  #
PAPP(POPTS)->>OBJ                 #

@octokit/auth-oauth-user          #Version 5.1.3
                                  #Node/Deno
                                  #Handles UAT

@octokit/auth-app
@octokit/auth-oauth-app
@octokit/auth-oauth-user
createOAuthUserAuth(UUOPTS)->UAPP #
UAPP(UOPTS)->>UAT_INFO            #Forwards to exchangeWebFlowCode|createOAuthDeviceAuth()
                                  #Cached, i.e. only done once

@octokit/auth-token               #Version 5.1.2
createTokenAuth('TOKEN')->TAPP    #Same shape as other *APPs, but with a specific TOKEN (PAT, APP_JWT, IAT, UAT, Actions GITHUB_TOKEN)
TAPP()->>TAPP_INFO                #
TAPP_INFO.type                    #'token'
TAPP_INFO.tokenType               #'app|installation|user-to-server|oauth'
TAPP_INFO.token                   #'TOKEN'

@octokit/auth-unauthenticated     #Version 6.1.2
createUnauthenticatedAuth
 (ZZOPTS)->ZAPP                   #Same shape as other *APPs, but for unauthenticated requests
ZAPP()->>ZAPP_INFO                #
ZAPP_INFO.type                    #'unauthenticated'
ZZOPTS|ZAPP_INFO.reason           #'MESSAGE'

@octokit/auth-callback            #Version 5.0.1
createCallbackAuth(CCOPTS)->CAPP  #Like @octokit/auth-token, but using a FUNC
CAPP()->>CAPP_INFO                #
CCOPTS.callback                   #FUNC()->>['TOKEN']
CAPP_INFO.*                       #If no 'TOKEN', like ZAPP_INFO.*. Otherwise, like TAPP_INFO.*

BAPP|AAPP|PAPP|DAPP|UAPP|TAPP     #Like OREQUEST(...) (see @octokit/request)
 |CAPP|ZAPP|IAPP                  #But using the right Authorization [C] depending on the request.
 .hook(OREQUEST, ...)->>RET       #With APP_JWT, handles time skew errors
                                  #With IAT, retries with exponential backoff since newly created IAT sometimes need it
                                  #Can be used as OREQUEST's REQ_OPTS.request.hook

BOPTS|FOPTS|EOPTS|VOPTS|[D]DOPTS
 |MOPTS|NOPTS|AAOPTS|[P]POPTS
 |UUOPTS.request                  #OREQUEST (from @octokit/request)

AOPTS|POPTS.factory               #FUNC. Calls and returns FUNC([A]AOPTS|[P]POPTS)

                                  ┌─────────────┐
                                  │   APP JWT   │
                                  └─────────────┘

Authorization: Bearer APP_JWT [C] #Authenticate as a GitHub app, for all installations
                                  #Only used for specific GitHub app-related API calls, documented below

APP_JWT                           #Must be signed with APP_PRIVATE_KEY
APP_JWT.ENVLOP.alg                #'RS256'
APP_JWT.PAYLOAD.iat               #DATE_NUM
APP_JWT.PAYLOAD.exp               #DATE_NUM. Max: iat + 10min
APP_JWT.PAYLOAD.iss               #'CLIENT_ID' (preferred) or 'APP_ID'

AOPTS.type 'app'                  #Forwards to universal-github-app-jwt and returns JWT_INFO
JWT_INFO.type                     #Always 'app'

universal-github-app-jwt          #Version 2.2.2
                                  #Node/Deno/browsers
githubAppJwt(JOPTS)->>JWT_RES     #Create APP_JWT

AAOPTS|JOPTS.privateKey           #'APP_PRIVATE_KEY'
                                  #In browsers/Deno, must first convert from PKCS#1 to PKCS#8
                                  #  openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in OLD_APP_PRIVATE_KEY.pem -out NEW_APP_PRIVATE_KEY.key

JOPTS.id
AAOPTS|JWT_INFO|JWT_RES.appId
JWT_PAYLOAD.iss                   #'CLIENT_ID|APP_ID'

JOPTS.now                         #NUM (in secs, def: now)
JWT_PAYLOAD.iat                   #JOPTS.now - 30 (for time clock drift)
AAOPTS.timeDifference             #NUM (def: 0) added to JOPTS.now
JWT_RES.expiration
JWT_PAYLOAD.exp                   #10 minutes from JWT_PAYLOAD.iat
JWT_INFO.expiresAt                #Same but as 'DATE'

JWT_INFO|JWT_RES.token            #'APP_JWT'

                                  ┌────────────────┐
                                  │   BASIC AUTH   │
                                  └────────────────┘

Authorization: Basic
 BASE64(CLIENT_ID:CLIENT_SECRET)
 [C]                              #Alternative to APP_JWT. Used with a different set of API calls

AOPTS.type 'oauth-app'            #Forwards to @octokit/auth-oauth-app with POPTS.type 'oauth-app'
                                  #Returns BASIC_INFO

POPTS.type 'oauth-app'            #For Authorization: Basic [C]
                                  #Returns PAPP_RESP

PPOPTS|BASIC_INFOPAPP_RESP
 .clientType                      #'APP_TYPE'
AAOPTS|POPTS|BASIC_INFO|PAPP_RESP
 .clientId                        #'CLIENT_ID'
AAOPTS|POPTS|BASIC_INFO|PAPP_RESP
 .clientSecret                    #'CLIENT_SECRET'

BASIC_INFO|PAPP_RESP.type         #Always 'oauth-app'

BASIC_INFO|PAPP_RESP
 .headers.authorization           #'basic BASE64(CLIENT_ID:CLIENT_SECRET)'

                                  ┌─────────┐
                                  │   IAT   │
                                  └─────────┘

Authorization: Bearer IAT [C]     #Authenticate as a GitHub app, for a specific installation ("server-to-server")
Authorization: token IAT [C]      #Read|write access a repo|org
                                  #Unrelated to user, i.e. not restricted by user permissions
                                  #Actions are shown as done by app
https://x-access-token:IAT
 @github.com/USER/REPO.git        #Authenticate as a GitHub app installation, for HTTP-based git

XINSTALLATION.access_tokens_url   #Get IAT ("Installation Access Token")
POST /app/installations           #Must be authenticated with APP_JWT
 /INSTALLATION_ID/access_tokens   #GitHub app must have been installed

AOPTS.type 'installation'         #POST /app/installations/INSTALLATION_ID/access_tokens
                                  #Authenticated with an APP_JWT
AAOPTS
 .appId|privateKey|timeDifference #Like with AOPTS.type 'app'
[A]AOPTS|INSTALL_INFO
 .installationId                  #'INSTALLATION_ID'

AOPTS|INSTALL_INFO
 .permissions.TOKEN_PERMISSION
REQ|RES
 .permissions.TOKEN_PERMISSION    #STR. Restrict to specific permissions (def: all)
AOPTS|INSTALL_INFO.repositoryIds
REQ.repository_ids                #REPO_ID_ARR (def: all) which can be accessed
AOPTS|INSTALL_INFO.repositoryNames
REQ.repositories                  #Same with 'REPO'_ARR
RES.repositories                  #REPO_ARR

INSTALL_INFO.token
RES.token                         #'ghs_*'. IAT
INSTALL_INFO.createdAt
RES.created_at                    #'DATE'
INSTALL_INFO.expiresAt
RES.expires_at                    #'DATE'. Only valid 1 hour, no refresh, but can re-create it
INSTALL_INFO.singleFileName
RES.single_file                   #Like XINSTALLATION.*
INSTALL_INFO.repositorySelection
RES.repository_selection          #Like XINSTALLATION.*

INSTALL_INFO.type                 #Always 'token'
INSTALL_INFO.tokenType            #Always 'installation'

AOPTS.refresh                     #BOOL. If false (def), caches IAT
AAOPTS.cache                      #Customize cache
                                  #OBJ: get('KEY')->'IAT', set('KEY', 'IAT')
                                  #Def:
                                  #  - lru-cache (see its doc)
                                  #  - in-memory
                                  #  - max 15e3 items
                                  #  - max 1 hour (same as IAT expiration time)

DELETE /installation/token        #Revoke IAT
                                  #Must be authenticated with IAT

                                  ┌──────────────────────┐
                                  │   GITHUB-APP-TOKEN   │
                                  └──────────────────────┘

tidbex/github-app-token           #GitHub action to get an installed GitHub app's IAT
                                  #Goal: use it instead of GitHub action's current GITHUB_TOKEN
                                  #Only needed when current GITHUB_TOKEN is missing permissions that GitHub app has
                                  #  - including access to other repos
                                  #Version 2.1.0

INPUTS.app_id                     #'APP_ID' (should use secrets)
INPUTS.private_key                #APP_PRIVATE_KEY (should use secrets), base64'd or not
INPUTS.installation_retrieval_mode#'id|organization|repository|user'
INPUTS                            #Depending on installation_retrieval_mode:
 .installation_retrieval_payload  #  - 'id': INSTALLATION_ID
                                  #  - 'organization': ORG, using GET OORG/installation
                                  #  - 'repository': REPO, using GET RREPO/installation
                                  #  - 'user': USER, using GET UUSER/installation
INPUTS.repositories               #'USER/REPO'_ARR (def: current one)
INPUTS.permissions                #'OBJ_JSON'
INPUTS.github_api_url             #'URL' of GitHub API (for GitHub enterprise)
INPUTS.revoke                     #BOOL. If true (def), revoke IAT at end of action

SECRET_OUTPUTS.token              #'IAT'. Created using POST /app/installations/INSTALLATION_ID/access_tokens
                                  #While authenticated using a APP_JWT created by @octokit/auth-app createAppAuth() with type 'app'
                                  #Revoked at end of workflow using DELETE /installation/token

                                  ┌─────────┐
                                  │   UAT   │
                                  └─────────┘

Authorization:                    #Authenticate as a GitHub app user ("user-to-server")
 Bearer ACCESS_TOKEN [C]          #Alternative to IAT, but with permissions on behalf of user
Authorization:                    #  - including access other things than repo|org
 token ACCESS_TOKEN [C]           #  - i.e. some actions available with ACCESS_TOKEN but not IAT
                                  #Actions are shown as done by user, with additional hint it's been done through an app
                                  #Restricted by permissions of both app and user
                                  #Obtained either through web flow or device flow

OAUTH ==>                         #Used to get|refresh ACCESS_TOKEN ("user access token", UAT)
                                  #User must first have "authorized" the app
                                  #See OAuth doc too

                                  ┌───────────────────┐
                                  │   UAT WEB FIRST   │
                                  └───────────────────┘

WEB FLOW ==>                      #Must be used when client is a browser

GET /login/oauth/authorize        #Start web flow. Can either:
                                  #  - redirect user manually to it
                                  #  - redirect at installation time
                                  #     - CALLBACK_URL must always use default value
                                  #     - no ?state parameter needed

YAPP.getWebFlowAuthorizationUrl
 (FOPTS)->>FIRST_INFO             #Forwards to @octokit/oauth-methods getWebFlowAuthorizationUrl()

@octokit/oauth-methods
getWebFlowAuthorizationUrl
 (FOPTS)->FIRST_INFO              #Forwards to @octokit/oauth-authorization-url

@octokit/oauth-authorization-url  #Version 7.1.1
                                  #Node/Deno
oauthAuthorizationUrl(FOPTS)
 ->FIRST_INFO                     #Returns a AUTH_URL, to start flow for UAT
FOPTS|FIRST_INFO.clientType       #'APP_TYPE', either 'oauth-app' (def, not documented) or 'github-app'
FIRST_INFO.url                    #AUTH_URL, i.e. 'BASE_URL/login/oauth/authorize?VARs' using OPTs above
YOPTS|FOPTS.baseUrl               #'BASE_URL' (def: 'https://github.com')

?client_id
FOPTS|FIRST_INFO.clientId         #'CLIENT_ID'
?redirect_uri                     #'CALLBACK_URL' (def: none)
YOPTS|FOPTS|FIRST_INFO.redirectUrl#Must be among MANIFEST.callback_urls
                                  #Def: MANIFEST.callback_urls[0]
?scope                            #Not present
?state                            #'STATE' (def: none)
FOPTS|FIRST_INFO.state            #'STATE' (def: random 10 chars base36'd)
?login
FOPTS|FIRST_INFO.login            #'USER' (def: none). Prompt user to login
?allow_signup
YOPTS|FOPTS|FIRST_INFO.allowSignup#BOOL (def: true). Allow unauthenticated users to signup, not only login

GET CALLBACK_URL                  #Done by GitHub when user submits consent on GET /login/oauth/authorize
?code                             #'CODE'
?state                            #'STATE'. Should verify it

                                  ┌────────────────────┐
                                  │   UAT WEB SECOND   │
                                  └────────────────────┘

AOPTS.type 'oauth-user'           #Forwards to @octokit/auth-oauth-app with POPTS.type 'oauth-user'
                                  #Returns UAT_INFO

POPTS.type 'oauth-user'           #Forwards to @octokit/auth-oauth-user UAPP()
                                  #Returns UAT_INFO

UAPP(UOPTS)->>UAT_INFO            #Forwards to exchangeWebFlowCode()
                                  #Cached, i.e. only done once

POST /login/oauth/access_token    #Second step of web flow, to do inside CALLBACK_URL handler
REQ.grant_type                    #Not present
RES.scope                         #Always empty
RES.state                         #'STATE'

@octokit/oauth-methods
exchangeWebFlowCode(EOPTS)->>RET  #POST /login/oauth/access_token, i.e. second server-side step for UAT

RET.authentication.clientType
YOPTS|PPOPTS|UUOPTS|EOPTS|UAT_INFO
 .clientType                      #'APP_TYPE'
REQ.client_id
RET.authentication.clientId
OOPTS.auth|YOPTS|[A]AOPTS|[P]POPTS
 |UUOPTS|EOPTS|UAT_INFO.clientId  #'CLIENT_ID'
REQ.client_secret
RET.authentication.clientSecret
OOPTS.auth|YOPTS|[A]AOPTS|[P]POPTS
 |UUOPTS|EOPTS|UAT_INFO
 .clientSecret                    #'CLIENT_SECRET'
REQ.redirect_uri
AOPTS|POPTS|UUOPTS|EOPTS
 .redirectUrl                     #'CALLBACK_URL'
REQ|AOPTS|POPTS|UUOPTS|EOPTS.code #'CODE'

REQ.repository_id                 #REPO_ID. Only give permissions to this REPO

UAT_INFO.type                     #Always 'token'
UAT_INFO.tokenType                #Always 'oauth'

RES.access_token
RET.authentication.token
UAT_INFO.token                    #'ACCESS_TOKEN'. Always start with ghu_*

RES.refresh_token
RET.authentication.refreshToken
UAT_INFO.refreshToken             #'REFRESH_TOKEN'. Always start with ghr_*
RES.expires_in                    #NUM (in secs, always 8h), of the ACCESS_TOKEN
                                  #Must be opted in
RET.authentication.expiresAt
UAT_INFO.expiresAt                #Same but as DATE
RES.refresh_token_expires_in      #NUM (in secs, always 6 months), of the REFRESH_TOKEN
RET.authentication
 .refreshTokenExpiresAt
UAT_INFO.refreshTokenExpiresAt    #Same but as DATE

UAT_INFO.invalid                  #undefined|true. true if token was reset|deleted

                                  ┌──────────────────────┐
                                  │   UAT DEVICE FIRST   │
                                  └──────────────────────┘

DEVICE FLOW ==>                   #Must be used when client is not a browser, e.g. a CLI or mobile|desktop app
                                  #Must be enabled in settings (beta feature)

AOPTS.type 'oauth-user'           #Forwards to @octokit/auth-oauth-app with POPTS.type 'oauth-user'
                                  #Returns UAT_INFO

POPTS.type 'oauth-user'           #Forwards to @octokit/auth-oauth-user UAPP()
                                  #Returns UAT_INFO

UAPP(UOPTS)->>UAT_INFO            #Forwards to createOAuthDeviceAuth()
                                  #Cached, i.e. only done once

@octokit/auth-oauth-device        #Version 7.1.4
                                  #Node/Deno/browsers
createOAuthDeviceAuth(DDOPTS)
 ->DAPP
DAPP(DOPTS)->>UAT_INFO            #Does createDeviceCode() then poll with exchangeDeviceCode()

POST /login/device/code           #First step of device flow
REQ.client_id                     #CLIENT_ID

@octokit/oauth-methods
createDeviceCode(MOPTS)->>RET     #POST /login/device/code

RES|RET.verification_uri          #'.../login/device'
                                  #User must go to that URL and submit 'USER_CODE'
RES|RET.interval                  #NUM (secs, always 5s). Polling interval for VERIFY_URL
RES|RET.device_code               #'DEVICE_CODE'
RES|RET.user_code                 #'USER_CODE'
RES|RET.expires_in                #NUM (in secs, always 15m). For DEVICE_CODE|USER_CODE

PPOPTS|UUOPTS|DDOPTS|NOPTS
 .clientType                      #'APP_TYPE'
UUOPTS|NOPTS.clientSecret         #'CLIENT_SECRET'. Only used if UOPTS.type defined

                                  ┌───────────────────────┐
                                  │   UAT DEVICE SECOND   │
                                  └───────────────────────┘

POST /login/oauth/access_token    #Second step of device flow, to poll
RES.*                             #Like web flow
RES.error                         #'NAME' among:
                                  #  - 'authorization_pending': user has not entered USER_CODE yet
                                  #  - 'access_denied': user clicked cancel
                                  #  - 'expired_token': DEVICE_CODE expired
                                  #  - 'slow_down': polling too fast
                                  #  - 'incorrect_client_credentials': invalid CLIENT_ID
                                  #  - 'incorrect_device_code': invalid DEVICE_CODE
                                  #  - 'unsupported_grant_type': invalid ?grant_type
                                  #  - 'device_flow_disabled': device flow not enabled in settings

@octokit/oauth-methods
exchangeDeviceCode(NOPTS)->>RET   #POST /login/oauth/access_token
RET.*                             #Like exchangeWebFlowCode()

REQ.client_id
[A]AOPTS|[P]POPTS|UUOPTS|DDOPTS
 |MOPTS|NOPTS.clientId            #'CLIENT_ID'
REQ.device_code
NOPTS.code                        #'DEVICE_CODE'
REQ.grant_type                    #Always 'urn:ietf:params:oauth:grant-type:device_code'
REQ.repository_id                 #REPO_ID. Restrict permissions to only this REPO

AOPTS|POPTS|UUOPTS|DDOPTS         #FUNC(RET)[->>] called with createDeviceCode() response
 .onVerification                  #User must input 'USER_CODE' in VERIFY_URL
                                  #E.g. should print|show instructions

AOPTS|POPTS|UUOPTS|DDOPTS
 .auth.refresh                    #BOOL (def: false). Forces re-using it even when calling DAPP() several times

                                  ┌─────────────────┐
                                  │   UAT ACTIONS   │
                                  └─────────────────┘

UUOPTS.onTokenCreated             #FUNC(UAT_INFO, { type: UUOPTS.type }) called by UAPP(UUOPTS) on:
                                  #  - creation (only with web flow)
                                  #  - refresh (UOPTS.type 'refresh')
                                  #  - reset (UOPTS.type 'reset')

UOPTS.type                        #Action on the token, among:
                                  #  - 'get' (def): none
                                  #  - 'refresh': if ACCESS_TOKEN `expiresAt` old, call refreshToken()
                                  #  - 'check': call checkToken()
                                  #  - 'reset': call resetToken()
                                  #  - 'delete': call deleteToken()
                                  #  - 'deleteAuthorization': call deleteAuthorization()

@octokit/oauth-methods            #REST API methods related to UAT
                                  #Version 5.1.4
                                  #Node/Deno
VRET.authentication.clientType
VOPTS.clientType                  #'APP_TYPE'
VRET.authentication.clientId
VOPTS.clientId                    #'CLIENT_ID'
VRET.authentication.clientSecret
VOPTS.clientSecret                #'CLIENT_SECRET'

VRET.authentication.token         #'ACCESS_TOKEN'
VRET.authentication.expiresAt     #'DATE'

VRET.data.*                       #HTTP raw response

                                  ┌─────────────────┐
                                  │   UAT REFRESH   │
                                  └─────────────────┘

POST /login/oauth/access_token    #Get a new ACCESS_TOKEN using a REFRESH_TOKEN
REQ.client_id                     #CLIENT_ID
REQ.client_secret                 #CLIENT_SECRET
REQ.grant_type                    #'refresh_token'
RES.*                             #Like web flow

YAPP.refreshToken(VOPTS)->>VRET   #Forwards to @oauth-methods refreshToken()
YEVENT token.refreshed            #

@octokit/oauth-methods
refreshToken(VOPTS)->>VRET        #POST /login/oauth/access_token

VRET.authencation.refreshToken
VOPTS.refreshToken
REQ.refresh_token                 #'REFRESH_TOKEN'
VRET.authentication
 .refreshTokenExpiresAt           #'DATE'
VOPTS.redirectUrl                 #'CALLBACK_URL'

                                  ┌───────────────┐
                                  │   UAT RESET   │
                                  └───────────────┘

PATCH                             #Refresh ACCESS_TOKEN, but delete old one
 /applications/CLIENT_ID/token    #Must use Basic authentication
RES.id                            #NUM
RES.url                           #'URL'
RES.token                         #'ACCESS_TOKEN'
RES.token_last_eight              #'ACCESS_TOKEN' last 8 chars
RES.fingerprint                   #'ACCESS_TOKEN' fingerprint
RES.scopes                        #ARR
RES.app.url                       #'URL'
RES.app.name                      #STR
RES.app.client_id                 #'CLIENT_ID'
RES.note[_url]                    #STR
RES.created_at|updated_at         #'DATE'
RES.expires_at                    #'DATE'
RES.owner                         #USER

YAPP.resetToken(VOPTS)->>VRET     #Forwards to @oauth-methods resetToken()
YEVENT token.reset                #

@octokit/oauth-methods
resetToken(VOPTS)->>VRET          #PATCH /applications/CLIENT_ID/token
                                  #Uses Basic authentication

VOPTS|REQ.access_token            #'ACCESS_TOKEN'

                                  ┌───────────────┐
                                  │   UAT CHECK   │
                                  └───────────────┘

POST /applications/CLIENT_ID/token#Get info about an ACCESS_TOKEN
                                  #Must use Basic authentication
RES.*                             #Like PATCH /applications/CLIENT_ID/token
RES.access_token[_last_eight]     #Instead of RES.token*
RES.hashed_token                  #'ACCESS_TOKEN' hash

YAPP.checkToken(VOPTS)->>VRET     #Forwards to @oauth-methods checkToken()

@octokit/oauth-methods
checkToken(VOPTS)->>VRET          #POST /applications/CLIENT_ID/token
                                  #Uses Basic authentication

VOPTS|REQ.access_token            #'ACCESS_TOKEN'

                                  ┌───────────────┐
                                  │   UAT SCOPE   │
                                  └───────────────┘

POST /applications/CLIENT_ID      #Copy ACCESS_TOKEN but with stricter permissions ("scoped ACCESS_TOKEN")
 /token/scoped                    #Must use Basic authentication
RES.*                             #Like PATCH /applications/CLIENT_ID/token
RES.hashed_token                  #'ACCESS_TOKEN' hash

YAPP.scopeToken(VOPTS)->>VRET     #Forwards to @oauth-methods scopeToken()
YEVENT token.scoped               #

@octokit/oauth-methods
scopeToken(VOPTS)->>VRET          #POST /applications/CLIENT_ID/token/scoped
                                  #Uses Basic authentication

VOPTS.accessToken
REQ.access_token                  #'ACCESS_TOKEN'
VOPTS.permissions.TOKEN_PERMISSION
REQ.permissions.TOKEN_PERMISSION  #STR.
VOPTS.target
REQ.target                        #Restrict only to that 'USER|ORG'
VOPTS.targetId
REQ.target_id                     #Same with USER|ORG_ID
VOPTS.repositories
REQ.repositories                  #Restrict only to those 'REPO'_ARR
VOPTS.repositoryIds
REQ.repository_ids                #Same with REPO_ID_ARR

                                  ┌──────────────────────┐
                                  │   UAT DELETE TOKEN   │
                                  └──────────────────────┘

DELETE                            #Delete an ACCESS_TOKEN
 /applications/CLIENT_ID/token    #Must use Basic authentication
                                  #Can also be done by user through UI

YAPP.deleteToken(VOPTS)->>VRET    #Forwards to @oauth-methods deleteToken()
YEVENT token.deleted              #

@octokit/oauth-methods
deleteToken(VOPTS)->>RET          #DELETE /applications/CLIENT_ID/token
                                  #Uses Basic authentication
                                  #Empty RET

VOPTS|REQ.access_token            #'ACCESS_TOKEN'

github_app_authorization          #Webhook triggered when ACCESS_TOKEN revoked
                                  #Should undo the app logic for that user

                                  ┌──────────────────────┐
                                  │   UAT DELETE GRANT   │
                                  └──────────────────────┘

DELETE                            #Delete an APP "authorization" for a given install
 /applications/CLIENT_ID/grant    #Must use Basic authentication

YAPP.deleteAuthorization(VOPTS)
 ->>VRET                          #Forwards to @oauth-methods deleteAuthorization()
YEVENT authorization.deleted      #

@octokit/oauth-methods
deleteAuthorization(VOPTS)->>RET  #DELETE /applications/CLIENT_ID/grant
                                  #Uses Basic authentication
                                  #Empty RET

VOPTS|REQ.access_token            #'ACCESS_TOKEN'

github_app_authorization.revoked  #Webhook SUBEVENT. User revoked UAT of a GitHub app
                                  #No specific PAYLOAD.*

                                  ┌─────────────────────┐
                                  │   APP PERMISSIONS   │
                                  └─────────────────────┘

APP_PERMISSION                    #Same as API_PERMISSION, but for an APP
                                  #Same values

@octokit/app-permissions          #Version 2.1.0
APP_PERMISSIONS
 .paths./PATH.HTTP_METHOD         #ENDPOINT_PERMISSIONS
ENDPOINT_PERMISSIONS.permission   #'APP_PERMISSION'
ENDPOINT_PERMISSIONS.access       #'read|write|admin'

APP_PERMISSIONS.APP_PERMISSION    #PERMISSION_ENDPOINTS
PERMISSION_ENDPOINTS
 .read|write|admin                #'HTTP_METHOD /PATH'_ARR
PERMISSION_ENDPOINTS.url          #'DOCS_URL'

installation
 .new_permissions_accepted        #Webhook SUBEVENT. User accepted new API_PERMISSIONs for GitHub app
PAYLOAD.repository|repositories
 |requester                       #Same as above

                                  ┌───────────────────────┐
                                  │   TOKEN PERMISSIONS   │
                                  └───────────────────────┘

TOKEN_PERMISSION                  #Same as APP_PERMISSION, but for an INSTALLATION|IAT
                                  #Different values, listed below

contents                          #Repo git contents and metadata (commits, branches, releases, etc.)
single_file                       #Repo git single file
administration                    #Repo CRUD|settings|teams
metadata                          #Repo search|metadata
statuses                          #Commit status
checks                            #Commit status checks
issues                            #Issues
pull_requests                     #PRs
repository|organization_projects  #Repo projects
team_discussions                  #Team discussions
[organization_]secrets            #Repo secrets
repository|organization_hooks     #User-defined webhooks
actions                           #GitHub Actions
workflows                         #GitHub Actions workflow files
deployments                       #GitHub deployments
environments                      #GitHub deployments' environments
[organization_]packages           #GitHub Packages
pages                             #GitHub Pages
secret_scanning_alerts            #Secret scanning alerts
security_events                   #Security alerts like code scanning
vulnerability_alerts              #Dependabot alerts
members                           #ORG teams|members
organization_administration       #Access to ORG
organization_custom_roles         #ORG roles management
organization_user_blocking        #ORG banned users
organization_
 personal_access_tokens           #ORG access tokens
organization_
 personal_access_token_requests   #ORG access tokens requests
organization_plan                 #ORG pricing plan
organization_announcement_banners #ORG announcement banners
organization_self_hosted_runners  #ORG self-hosted CI runners

                                  ┌─────────────────────┐
                                  │   AUTH MIDDLEWARE   │
                                  └─────────────────────┘

@octokit/oauth-app
handleRequest(YAPP, OPTS, REQ_OBJ)#Middleware that is generic, using REQ_OBJ|RES_OBJ
 ->>[RES_OBJ]                     #400 on invalid request body or query variables

createNodeMiddleware(YAPP[, OPTS])#Calls handleRequest(YAPP, OPTS), but as Express-style middleware
 ->FUNC(REQ, RES, FUNC2)          #Uses Node.js APIs: REQ.url|method|headers, REQ ISTREAM and RES.writeHead|end()

createWebWorkerHandler            #FUNC() calls handleRequest(YAPP, OPTS), meant for Deno, Cloudflare workers, etc.
 (YAPP[, OPTS])->FUNC(REQ)->>[RES]#RES is undefined if OPTS.pathPrefix does not match
                                  #Uses Web APIs: REQ.url|method|headers|text and new Response()

createAWSLambdaAPIGatewayV2Handler#FUNC() calls handleRequest(YAPP, OPTS), meant for AWS Lambda through API Gateway
 (YAPP[, OPTS])                   #RES is undefined if OPTS.pathPrefix does not match
 ->FUNC(API_GATEWAY_REQ)          #Uses API_GATEWAY_REQ.requestContext.http.method, rawPath, requestContext.stage, rawQueryString, headers, body
 ->>[API_GATEWAY_RES]             #Returns { statusCode, headers, body }

OPTS.pathPrefix                   #'/PATH' (def: '/api/github/oauth')
                                  #If REQ_OBJ.url does not start with it, returns undefined

REQ_OBJ.method                    #'HTTP_METHOD'
REQ_OBJ.url                       #'URL'
REQ_OBJ.text()->>'BODY'           #Must be JSON

RES_OBJ.status                    #NUM
RES_OBJ.headers                   #OBJ
RES_OBJ.text                      #'BODY'

Access-Control-Allow-Origin: * [S]
Access-Control-Allow-Methods:
 * [S]
Access-Control-Allow-Headers:
 Content-Type, User-Agent,
 Authorization [S]                #

GET PATH_PREFIX/login             #First UAT step, web flow
                                  #Redirects (302 + Location [S]) to CALLBACK_URL
                                  #CALLBACK_URL is YAPP.getWebFlowAuthorizationUrl() with QUERY.redirectUrl|state|allowSignup
GET PATH_PREFIX/callback          #Second UAT step, web flow, as HTML
                                  #Creates ACCESS_TOKEN with YAPP.createToken() with QUERY.code
                                  #Can include QUERY.error[_description] STR
POST PATH_PREFIX/token            #Second UAT step, web flow, as JSON
                                  #Returns YAPP.createToken() with REQ.code|redirectUrl

PATCH PATH_PREFIX/refresh-token   #Returns YAPP.refreshToken(), using Authentication: token ACCESS_TOKEN [C]
PATCH PATH_PREFIX/token           #Returns YAPP.resetToken(), using Authentication: token ACCESS_TOKEN [C]
GET PATH_PREFIX/token             #Returns YAPP.checkToken(), using Authentication: token ACCESS_TOKEN [C]
POST PATH_PREFIX/token/scoped     #Returns YAPP.scopeToken(REQ), using Authentication: token ACCESS_TOKEN [C]
DELETE PATH_PREFIX/token          #Returns YAPP.deleteToken(), using Authentication: token ACCESS_TOKEN [C]
DELETE PATH_PREFIX/grant          #Returns YAPP.deleteAuthorization(), using Authentication: token ACCESS_TOKEN [C]

unknownRouteResponse(REQ_OBJ)     #Used on unknown route
 ->RES_OBJ                        #404 with body 'Unknown route: HTTP_METHOD /PATH'

                                  ┌──────────────┐
                                  │   WEBHOOKS   │
                                  └──────────────┘

WEBHOOKS ==>                      #See Webhooks doc for other events, and for general info about webhooks

PAYLOAD.installation              #GitHub app INSTALLATION, if any
                                  #For any EVENT related to GitHub apps

XWEBHOOK_DELIVERY.installation_id #INSTALLATION_ID|null, if GitHub app

                                  ┌──────────────────────┐
                                  │   MARKETPLACE MAIN   │
                                  └──────────────────────┘

MARKETPLACE ==>                   #List of:
                                  #  - GitHub apps to install
                                  #     - can require purchase
                                  #  - GitHub actions (see its doc)
                                  #Submitted through the UI

CATEGORIES ==>                    #Primary/secondary categories, choosen in UI while publishing

URLS ==>                          #Required: customer support, privacy policy
                                  #Optional: company, status page, documentation

APP DESCRIPTION ==>               #See guidelines in https://docs.github.com/en/apps/publishing-apps-to-github-marketplace/listing-an-app-on-github-marketplace/writing-a-listing-description-for-your-app#guidelines-for-logos

LOGOS ==>                         #See guidelines in https://docs.github.com/en/apps/publishing-apps-to-github-marketplace/listing-an-app-on-github-marketplace/writing-a-listing-description-for-your-app#guidelines-for-logos

REQUIREMENTS ==>                  #Must:
                                  #  - be public (not invite-only nor beta)
                                  #  - follow guidelines when using GitHub name|logo: https://github.com/logos
                                  #  - notify GitHub of security incidents within 24h
                                  #  - see plan from the app UI
                                  #  - allow deleting plan without email|phone call
                                  #See more at:
                                  #  - https://docs.github.com/en/apps/publishing-apps-to-github-marketplace/creating-apps-for-github-marketplace/customer-experience-best-practices-for-apps
                                  #  - https://docs.github.com/en/apps/publishing-apps-to-github-marketplace/selling-your-app-on-github-marketplace/billing-customers

VERIFICATION ==>                  #"Verified account" badge|filter
                                  #Must associate and verify a domain name and support email
                                  #Done through the UI

INSIGHTS ==>                      #Analytics, available in UI
                                  #Includes: money, views (user, page, checkout)

ABUSE ==>                         #Can report abusive users at https://github.com/contact/report-abuse

                                  ┌──────────────────────┐
                                  │   MARKETPLACE PLAN   │
                                  └──────────────────────┘

PAID PLAN ==>                     #Payment is handled by GitHub
                                  #Requires verification
                                  #Required if app is not always free, outside of GitHub
                                  #  - i.e. cannot circumvent using GitHub for pricing
                                  #Must have >= 100 installations
                                  #GitHub includes a manual payment onboarding process
                                  #GitHub takes 5% cut
                                  #Only receives payment after minimum $500

PAID TRANSACTIONS ==>             #Can be seen in UI, with details info

https://www.github.com
 /marketplace/APP/upgrade
 /PLAN_ID/ACCOUNT_ID              #URL to plan upgrade in UI

GET /marketplace_listing/plans    #Must authenticate with APP_JWT
XMPLAN.url
GET /marketplace_listing
 /plans/PLAN_ID                   #Must authenticate with APP_JWT

XMPURCHASE|XMCHANGE.plan          #XMPLAN
XMPLAN                            #Pricing plan item on the Marketplace
                                  #Max 10
XMPLAN.id                         #PLAN_ID
XMPLAN.number                     #Serial NUM
XMPLAN.state                      #'draft|published'. If 'draft':
                                  #  - any purchase is a noop
                                  #     - i.e. can test it
                                  #  - not visible, except with URL

XMPLAN.name                       #'PLAN', UI title
                                  #Max 255 chars
XMPLAN.description                #STR, UI subtitle
                                  #Recommended 40-80 chars
                                  #Should not repeat name
                                  #Single sentence, no period
                                  #More guidelines: https://docs.github.com/en/apps/publishing-apps-to-github-marketplace/listing-an-app-on-github-marketplace/writing-a-listing-description-for-your-app#content-of-very-short-description
XMPLAN.bullets                    #STR_ARR, UI list of bullets

XMPLAN.price_model                #One of:
                                  #  - 'FREE'
                                  #  - 'FLAT_RATE': not per-seat
                                  #  - 'PER_UNIT': per-seat
XMPLAN.unit_name                  #STR, shown in UI
                                  #null if not 'PER_UNIT'
XMPURCHASE|XMCHANGE.unit_count    #INT
XMPURCHASE.billing_cycle          #'monthly|yearly|nil'
XMPLAN
 .monthly|yearly_price_in_cents   #INT (USD). Must specify both.

XMPLAN.has_free_trial             #BOOL (def: false)
                                  #Always 2 weeks
XMPURCHASE.on_free_trial          #BOOL
XMPURCHASE.free_trial_ends_on     #'DATE'

                                  ┌──────────────────────────┐
                                  │   MARKETPLACE PURCHASE   │
                                  └──────────────────────────┘

GET /user/marketplace_purchases   #XMACCOUNT_ARR of current USER
                                  #Must authenticate with APP_JWT
GET /marketplace_listing          #XMACCOUNT of a USER|ORG
 /accounts/ACCOUNT_ID             #Must authenticate with APP_JWT
XMPLAN.accounts_url
GET /marketplace_listing          #XMACCOUNT_ARR of a XMPLAN
 /plans/PLAN_ID/accounts          #Must authenticate with APP_JWT

XMACCOUNT                         #USER|ORG using a XMPLAN
XMACCOUNT.type                    #'User|Organization'
                                  #Can restrict to just one type
XMACCOUNT.id                      #USER|ORG_ID
XMACCOUNT.url                     #UUSER|OORG
XMACCOUNT.login                   #STR
XMORG.organization_billing_email
XMUSER.email                      #'EMAIL'

XMACCOUNT.marketplace_purchase    #XMPURCHASE
XMPURCHASE.next_billing_date      #'DATE'
XMPURCHASE.updated_at             #'DATE'

XMACCOUNT                         #XMCHANGE. Change in XMACCOUNT that will take place in next billing cycle
 .marketplace_pending_change      #For testing, can force it happening now in billing UI
XMCHANGE.id                       #CHANGE_ID
XMCHANGE.effective_date           #'DATE'

GET /user/marketplace_purchases
 /stubbed
GET /marketplace_listing
 /stubbed/...                     #Same but with stubbed data, for testing

                                  ┌──────────────────────────┐
                                  │   MARKETPLACE WEBHOOKS   │
                                  └──────────────────────────┘

marketplace_purchase              #Webhook EVENT
                                  #Handling it is required
PAYLOAD.effective_date            #'DATE', like XMCHANGE.effective_date
PAYLOAD
 .[previous_]marketplace_purchase #XMPURCHASE
PAYLOAD.repository                #XREPO

marketplace_purchase.purchased    #Webhook SUBEVENT. Purchased a PLAN
marketplace_purchase              #Webhook SUBEVENT. Downgrading|cancelling a PLAN started.
 .pending_change                  #Wait until next billing cycle.
marketplace_purchase
 .pending_change_cancelled        #Webhook SUBEVENT. Cancelled a `pending_change`
marketplace_purchase.changed      #Webhook SUBEVENT. Either:
                                  #  - downgrading a PLAN
                                  #  - upgrading a PLAN (happens right away)
                                  #  - add|remove seats
                                  #  - changed billing cycle (monthly|yearly)
marketplace_purchase.cancelled    #Webhook SUBEVENT. Cancelling a PLAN.
                                  #Should revoke UAT
                                  #When paid plan, must downgrade to free plan
                                  #When free plan, must delete data within 30 days

                                  ┌─────────────────┐
                                  │   PROBOT MAIN   │
                                  └─────────────────┘

@probot/probot                    #Version 14.0.0-beta.9
                                  #Node only
                                  #Does not include UAT second step nor TOKEN refresh, i.e. should also use @octokit/oauth-app middleware

FEATURES ==>                      #Configuration: .env, ENVVARs, programmatic, *.pem, INSTALL_REPO/.github/FILENAME
                                  #Webhooks: express server, serverless|GitHub actions adapters, local proxy, trigger dev payload, WEVENT helpers (USER/REPO, issue|PR number)
                                  #Octokit: BAPP, Redis for throttling, automatic IAT from WEVENT
                                  #Logging: pino, categories (probot|server|http|octokit|github|event), request logging, webhook logging, Sentry
                                  #Init: scaffold, create app

DISCOVERABILITY ==>               #Can submit Probot to list in their website
                                  #Can use GitHub apps `probot` and `probot-app`

                                  ┌─────────────────────┐
                                  │   PROBOT SCAFFOLD   │
                                  └─────────────────────┘

create-probot-app DIR             #CLI, version 5.1.0
                                  #Scaffolds a git repository for a Probot app
                                  #Does not run probot CLI nor create GitHub app, just scaffolds the repo
                                  #Uses template files, then run npm install + npm run build
                                  #Options below are also asked interactively, and guess defaults

--template|-t                     #'TEMPLATE' among:
                                  #  - 'basic-js|ts':
                                  #     - app.yml
                                  #     - index.js|ts exporting dummy Probot app
                                  #     - dummy test
                                  #  - 'checks-js': like basic-js, but dummy app for using GitHub API statuses
                                  #  - 'deploy-js': same for GitHub API deployments
                                  #  - 'git-data-js': same for GitHub API repo contents
                                  #All TEMPLATEs include:
                                  #  - README.md, LICENSE (ISC), CONTRIBUTING, CODE_OF_CONDUCT
                                  #  - Dockerfile, .dockerignore
                                  #  - .gitignore
--show-templates                  #

--appName|-n                      #'APP_NAME', used in package.json name and README.md
--desc|-d                         #STR, used in package.json description and README.md
--author|-a                       #STR, used in package.json author and LICENSE
--user|-u                         #'USER|ORG', used in package.json homepage
--repo|-r                         #'REPO', used in package.json homepage
--email|-e                        #STR, used in CODE_OF_CONDUCT

--overwrite                       #Overwrite existing files
--no-git-init                     #Unless set or already a git repo, does `git init` + initial commit

                                  ┌────────────────┐
                                  │   PROBOT CLI   │
                                  └────────────────┘

probot run FLAG...
run('FLAG'_ARR|FUNC[, ROPTS])     #Calls FUNC(PROBOT, OBJ)[->>] then WSERVER.start()
 ->>WSERVER                       #OBJ.getRouter(...) forwards to WSERVER.router(...), to add additional routes
ROPTS.env                         #ENVVARs, documented as WCENVVARs, passed as WSOPTS
                                  #Def: process.env, or `dotenv` file
'FLAG'_ARR                        #CLI flags, passed as WSOPTS
                                  #Last 'FLAG' can be 'PATH' to FUNC(PROBOT, OBJ)[->>]
package.json probot.apps          #'PATH'_ARR to FUNC(PROBOT, OBJ)[->>]

GET /[probot]                     #Shows application version
                                  #Only if 'FLAG'_ARR used

                                  ┌───────────────────┐
                                  │   PROBOT SERVER   │
                                  └───────────────────┘

new Server(WSOPTS)                #WSERVER

WSERVER.start()->>HTTPSERVER      #
WSERVER.stop()->>                 #

WSERVER.probotApp                 #PROBOT, created with no WOPTS
WSOPTS.Probot                     #Probot, to pass WOPTS using Probot.defaults()

WSERVER.expressApp                #Express APP
--port|-p
WCENVVAR PORT
WSOPTS.port                       #NUM (def: 3000)
--host|-H
WCENVVAR HOST
WSOPTS.host                       #STR (def: 'localhost')

WSERVER.router(['/PATH'])->ROUTER #APP.use('/PATH', EXPRESS.Router())
                                  #Def '/PATH': '/'

GET /ping                         #Response: 'PONG'

                                  ┌─────────────────────┐
                                  │   PROBOT ADAPTERS   │
                                  └─────────────────────┘

@probot/
 adapter-aws-lambda-serverless    #Version 4.0.3
PROBOTLAMBDA.*                    #Like PROBOT.*
PROBOTLAMBDA.createLambdaFunction
 (FUNC(PROBOT)[->>],              #Calls FUNC(PROBOT)
 { probot: PROBOT })              #Then returns HANDLER(REQ, CONTEXT)->>RES for AWS Lambda with API Gateway
GET /probot                       #Returns app|probot version as HTML page
                                  #Matched using REQ.httpMethod|path
OTHER CALLS ==>                   #Call WHOOKS.verifyAndReceive() using:
                                  #  - REQ.headers: X-GitHub-Delivery [C], X-GitHub-Event [C], X-GitHub-Signature-256 [C]
                                  #  - REQ.body: WEVENT
                                  #Response: '{"ok": true}'

@probot/serverless-gcf            #Similar but for Google Cloud Functions
@probot/adapter-azure-functions   #Similar but for Azure Functions

@probot/adapter-github-actions    #Version 4.0.0
PROBOTACTIONS.*                   #Like PROBOT.*
PROBOTACTIONS                     #Calls createProbot(), FUNC(PROBOT) then PROBOT.receive(WEVENT)
 .run(FUNC(PROBOT)[->>])->>       #Uses ENVVARs:
                                  #  - GITHUB_TOKEN: WOPTS.githubToken
                                  #  - GITHUB_RUN_ID: WEVENT.id
                                  #  - GITHUB_EVENT_NAME: WEVENT.name
                                  #  - GITHUB_EVENT_PATH: PATH to WEVENT.payload
                                  #I.e. handles GitHub action event with same logic as a GitHub app webhook
                                  #Uses WOPTS.log that calls @actions/core logging methods

                                  ┌─────────────────┐
                                  │   PROBOT CORE   │
                                  └─────────────────┘

createProbot(OBJ)->PROBOT         #
OBJ.defaults                      #WOPTS, lower priority than ENVVARs
OBJ.overrides                     #WOPTS, higher priority than ENVVARs
OBJ.env                           #ENVVARs used as WOPTS (def: process.env), documented as WENVVARs
                                  #Those are used only with createProbot(), not new Probot()

new Probot(WOPTS)                 #PROBOT
Probot.defaults(WOPTS)->Probot    #

                                  ┌──────────────────┐
                                  │   PROBOT SETUP   │
                                  └──────────────────┘

CWD/app.yml                       #MANIFEST, used by GET /probot/...
MANIFEST.*                        #All available
MANIFEST.name                     #Def: package.json name
MANIFEST.version                  #Def: 'v1'
MANIFEST.description              #Def: package.json description
MANIFEST.url                      #Def: package.json homepage|repository
MANIFEST.hook_attributes.url      #Created using smee-client as WCENVVAR WEBHOOK_PROXY_URL
                                  #Saved to CWD/.env
MANIFEST.redirect_url             #Def: /probot/setup

GET /probot                       #HTML page to create a GitHub app
                                  #Only available with run() if appId|privateKey not set yet
                                  #Calls POST [/organizations/ORG]/settings/apps/new with MANIFEST
                                  #Can use WCENVVAR GH_ORG 'ORG'

GET /probot/setup                 #Second step after GET /probot
                                  #Calls POST /app-manifests/CODE/conversions
                                  #Saves WCENVVARs to CWD/.env: APP_ID, PRIVATE_KEY, WEBHOOK_SECRET, GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET
                                  #Redirects to GitHub page of the app

GET /probot/import                #Alternative way to setup a GitHub app.
                                  #HTML page to manually set WCENVVARs to CWD/.env for: APP_ID, PRIVATE_KEY, WEBHOOK_SECRET

                                  ┌─────────────────────┐
                                  │   PROBOT WEBHOOKS   │
                                  └─────────────────────┘

createNodeMiddleware
 (FUNC(PROBOT)[_ARR], WNOPTS)     #Returns Express middleware
 ->FUNC(REQ, RES, FUNC2)          #FUNC() is fired right away
WNOPTS.probot                     #PROBOT

POST WEBHOOK_PATH                 #With new Server() or createNodeMiddleware()
                                  #Uses @octokit/webhooks createNodeMiddleware() (see its doc)
                                  #I.e. validate signature and triggers PROBOT.on*(...)
--webhook-path|-w
WCENVVAR WEBHOOK_PATH
WNOPTS|WSOPTS.webhookPath         #'WEBHOOK_PATH' (def: '/api/github/webhooks')
--webhook-proxy|-W
WCENVVAR WEBHOOK_PROXY_URL
WSOPTS.webhookProxy               #'URL' to WEBHOOK_PATH, in production
                                  #Uses smee-client to redirect calls to localhost instead, for local testing

PROBOT.webhooks                   #WHOOKS (from @octokit/webhooks)
                                  #Uses WCONTEXTs instead of WEVENTs
                                  #Uses BOPTS.type 'event-octokit'
                                  #  - i.e. WCONTEXT.octokit is authenticated with IAT using WEVENT.event.payload.installation.id
PROBOT.on[Any|Error]|receive      #Forwards to PROBOT.webhooks.on[Any|Error]|receive
--secret|-s
W[C]ENVVAR WEBHOOK_SECRET
WOPTS.secret                      #'WEBHOOK_SECRET' (def: 'development')

new Context(WEVENT, OCORE)        #WCONTEXT
WCONTEXT.name|id|payload          #Like WEVENT.*
WCONTEXT.octokit                  #OCORE
WCONTEXT.repo()->OBJ              #OBJ:
                                  #  - owner 'USER': using PAYLOAD.repository.owner.login
                                  #  - repo 'REPO': using PAYLOAD.repository.name
WCONTEXT.issue()->OBJ             #OBJ: issue_number NUM: using PAYLOAD[.issue|pull_request].number
WCONTEXT.pullRequest()->OBJ       #OBJ: pull_number NUM: using PAYLOAD[.issue|pull_request].number
WCONTEXT.isBot()->BOOL            #Using PAYLOAD.sender.type === 'Bot'

probot receive PATH               #PATH is Node.js file exporting FUNC(PROBOT)
                                  #It should call PROBOT.on*, which is passed a WEVENT
                                  #Meant for dev|debugging
--payload-path|-p
WCENVVAR GITHUB_EVENT_PATH        #'PATH' to Node.js file exporting WEVENT
--event|-e
WCENVVAR GITHUB_EVENT_NAME        #'EVENT'

                                  ┌────────────────────┐
                                  │   PROBOT OCTOKIT   │
                                  └────────────────────┘

OCORE                             #One used by Probot
WOPTS|ROPTS.Octokit               #Def: ProbotOctokit
ProbotOctokit                     #Octokit class
                                  #Uses octokit-auth-probot (BAPP), i.e. TAPP|AAPP|ZAPP
                                  #Plugins: rest-endpoint-methods (legacy), paginate-rest, retry, throttling

--token|-t
WCENVVAR GITHUB_TOKEN
WOPTS.githubToken                 #'TOKEN', when using TAPP
--app|-a
W[C]ENVVAR APP_ID
WOPTS.appId                       #AAOPTS.appId, when using AAPP
W[C]ENVVAR PRIVATE_KEY
--private-key|-P PATH
W[C]ENVVAR PRIVATE_KEY_PATH
CWD/*.pem
WOPTS.privateKey                  #AAOPTS.privateKey, when using AAPP
WOPTS.cache                       #AAOPTS.cache, when using AAPP

W[C]ENVVAR GHE_HOST|GHE_PROTOCOL
--base-url
WOPTS.baseUrl                     #KOPTS.baseUrl

--redis-url
W[C]ENVVAR REDIS_URL              #`ioredis` options, used with @octokit/plugin-throttling
WOPTS.redisConfig                 #Redis errors are logged with LOGGER

PROBOT.auth                       #If no INSTALLATION_ID, returns OCORE as is
 ([INSTALLATION_ID[, LOGGER]])    #Otherwise, authenticate with IAT
 ->>OCORE                         #Also use INSTALLATION_ID as KOPTS.throttle.id
                                  #LOGGER is Pino logger

                                  ┌────────────────────────┐
                                  │   PROBOT PRIVATE KEY   │
                                  └────────────────────────┘

@probot/get-private-key           #Version 2.0.0

getPrivateKey([OPTS])             #Finds 'APP_PRIVATE_KEY' using ENVVAR PRIVATE_KEY[_PATH] or CWD/*.pem
 ->'APP_PRIVATE_KEY'|null         #Returns null if none

OPTS.env                          #ENVVARs (def: process.env)

ENVVAR PRIVATE_KEY                #'APP_PRIVATE_KEY'. Can be base64'd. Must include RSA headers.

ENVVAR PRIVATE_KEY_PATH
CWD/*.pem
OPTS.filepath                     #'PATH' to file instead. Uses sync I/O
OPTS.cwd                          #'CWD' (def: '.')

                                  ┌────────────────────┐
                                  │   PROBOT LOGGING   │
                                  └────────────────────┘

Logger                            #From pino (see its doc)
                                  #Uses v6 (old)

WSERVER|PROBOT|WCONTEXT
 .log[.LEVEL](...)                #Calls LOGGER.LEVEL(...) (def LEVEL: 'info')

--log-level|-L
W[C]ENVVAR LOG_LEVEL              #'LEVEL' passed to pino OPTS.level
WOPTS.logLevel                    #Def: 'info' with new Probot(), 'warn' with createProbot()

W[C]ENVVAR LOG_MESSAGE_KEY
WOPTS.logMessageKey               #'PROP' (def: 'msg') passed to pino OPTS.messageKey

WSOPTS|WOPTS|ROPTS.log            #LOGGER
PROBOT.auth(..., LOGGER)          #Def: pino() with:
new Context(..., LOGGER)          #  - [child] LOGGERs:
                                  #     - main: name 'probot'
                                  #     - server: name 'server'
                                  #        - logs server start|error
                                  #     - HTTP request: name 'http'
                                  #        - logs 'HTTP_METHOD /PATH STATUS - NUMms' on request success|error
                                  #        - uses X-Request-Id [C] || X-GitHub-Delivery [C] || UUIDv4 as log id
                                  #     - general OCORE: name 'octokit'
                                  #     - IAT authentication: name 'github'
                                  #     - WEVENT: name 'event', id EVENT_ID
                                  #        - logs new EVENT, signature errors, wrong APP_ID|APP_PRIVATE_KEY
                                  #  - @probot/pino
                                  #     - with default OPTS
                                  #     - redirected to stdout

OCTOKIT REQUEST LOGGING ==>       #Automatically done with level `debug` for each request, similar to request-log PLUGIN

WSOPTS.loggingOptions             #Options to pass to `pino-http`, which is used by new Server()

@probot/pino                      #Version 4.0.0
                                  #There is a CLI too, which uses ENVVARs instead of OPTS
getTransformStream([OPTS])
 ->TSTREAM                        #Returns TSTREAM to pass as second argument to pino(...)

--log-format                      #Either:
W[C]ENVVAR LOG_FORMAT             #  - 'pretty':
OPTS.logFormat                    #     - uses pino-pretty
                                  #     - uses options:
                                  #        - ignore 'time', 'pid', 'hostname'
                                  #        - ignore 'req', 'res', 'responseTime' (from pino-http)
                                  #        - i.e. 'LEVEL: MESSAGE'
                                  #     - errorProps 'event', 'status', 'headers', 'request', 'sentryEventId' (shown in error logs)
                                  #  - 'json': uses JSON.stringify()
                                  #Def is:
                                  #  - 'json' if using run() + WCENVVAR NODE_END 'production'
                                  #  - 'pretty' otherwise
--log-level-in-string
W[C]ENVVAR LOG_LEVEL_IN_STRING    #BOOL (def: false)
OPTS.logLevelInString             #With OPTS.logFormat 'json', include `level: 'LEVEL'`

                                  ┌───────────────────────┐
                                  │   PROBOT MONITORING   │
                                  └───────────────────────┘

--sentry-dsn                      #'URL' to Sentry (def: none)
W[C]ENVVAR SENTRY_DSN             #Send to sentry using @sentry/node
OPTS.sentryDsn                    #Only for LEVELs error|fatal
                                  #Includes:
                                  #  - level: 'LEVEL'
                                  #  - extra: 'event', 'status', 'headers', 'request', then reduces:
                                  #     - 'event' to just 'id'
                                  #     - 'request' to just 'url|method'
                                  #  - ERROR: 'type', 'msg', 'stack'
                                  #  - USER.id: WEVENT.installation.id
                                  #  - USER.username: WEVENT.installation.account.login || WEVENT.organization.login || WEVENT.repository.owner.login

                                  ┌───────────────────┐
                                  │   PROBOT CONFIG   │
                                  └───────────────────┘

WCONTEXT.config                   #Retrieves JSON|YAML at .github/FILENAME in current repo
 ('FILENAME'[, OBJ2][, OBJ3])     #Forwards to OCORE.config.get(OPTS) and returns RET.config
 ->>OBJ|null                      #Using OPTS:
                                  #  - owner|repo: using the app, with PAYLOAD.repository
                                  #  - path '.github/FILENAME'
                                  #OBJ2 are merged to results. OBJ3 are deepmerge options (see its doc)

@probot/octokit-plugin-config     #Version 3.0.2
                                  #Node/Deno/browsers
config                            #Octokit PLUGIN

OCORE.config.get(OPTS)->>RET      #Loads JSON|YAML file from a REPO
                                  #Meant for configuration of a GitHub app installation
                                  #Uses GET RREPO/contents/PATH?ref=BRANCH
composeConfigGet(OCORE, OPTS)->>  #Same without adding PLUGIN to OCORE

OPTS|FILE.owner                   #'USER'
OPTS|FILE.repo                    #'REPO'
OPTS|FILE.path                    #'PATH'. Can be inside ROOT or inside ROOT/.github/
OPTS|FILE.branch                  #'COMMIT|BRANCH|TAG'

RET.files                         #FILE_ARR, including child ones
FILE.config                       #CONTENTS OBJ
RET.config                        #OBJ. All FILE[*].config merged
OPTS.defaults                     #OBJ[(CONTENTS_ARR)] to merge to RET.config

CONTENTS._extends                 #'[USER/]REPO[/PATH]' to a file to merge with lower priority