feat: expand GitHub plugin — go-github SDK, 13 new steps, github.app module

- Add google/go-github/v69 SDK dependency
- Add github_sdk_client.go wrapping go-github with PAT + App auth
- Add 13 new step types: gh_pr_create, gh_pr_merge, gh_pr_comment, gh_pr_review,
  gh_issue_create, gh_issue_close, gh_issue_label, gh_release_create,
  gh_release_upload, gh_repo_dispatch, gh_deployment_create, gh_secret_set,
  gh_graphql
- Add github.app module with JWT generation and installation token management
- Register all new steps and modules in plugin.go and plugin.json

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: intel352

go.mod

@@ -97,6 +97,7 @@ require (
 	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
 	github.com/golobby/cast v1.3.3 // indirect
 	github.com/google/btree v1.1.3 // indirect
+	github.com/google/go-github/v69 v69.2.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect

go.sum

@@ -332,6 +332,8 @@ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-github/v69 v69.2.0 h1:wR+Wi/fN2zdUx9YxSmYE0ktiX9IAR/BeePzeaUUbEHE=
+github.com/google/go-github/v69 v69.2.0/go.mod h1:xne4jymxLR6Uj9b7J7PyTpkMYstEMMwGZa0Aehh1azM=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/go-tpm v0.9.8 h1:slArAR9Ft+1ybZu0lBwpSmpwhRXaa85hWtMinMyRAWo=

internal/github_sdk_client.go

@@ -0,0 +1,25 @@
+package internal
+
+import (
+	"net/http"
+
+	"github.com/google/go-github/v69/github"
+)
+
+// SDKClient wraps the go-github client with auth support.
+type SDKClient struct {
+	GH *github.Client
+}
+
+// NewSDKClient creates a client authenticated with a personal access token.
+func NewSDKClient(token string) *SDKClient {
+	client := github.NewClient(nil).WithAuthToken(token)
+	return &SDKClient{GH: client}
+}
+
+// NewSDKClientFromTransport creates a client from an http.RoundTripper (for GitHub App auth).
+func NewSDKClientFromTransport(rt http.RoundTripper) *SDKClient {
+	httpClient := &http.Client{Transport: rt}
+	client := github.NewClient(httpClient)
+	return &SDKClient{GH: client}
+}

internal/module_github_app.go

@@ -0,0 +1,183 @@
+package internal
+
+import (
+	"context"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+
+	sdk "github.com/GoCodeAlone/workflow/plugin/external/sdk"
+)
+
+// githubAppModule implements sdk.ModuleInstance.
+// It manages GitHub App authentication, generating installation access tokens
+// from an App's private key and installation ID.
+//
+// Module config:
+//
+//	app_id:          12345
+//	installation_id: 67890
+//	private_key:     "${GITHUB_APP_PRIVATE_KEY}"  # PEM-encoded RSA key
+type githubAppModule struct {
+	name   string
+	config githubAppConfig
+
+	// cached token and expiry for reuse within the valid window
+	cachedToken  string
+	tokenExpiry  time.Time
+}
+
+type githubAppConfig struct {
+	AppID          int64  `yaml:"app_id"`
+	InstallationID int64  `yaml:"installation_id"`
+	PrivateKey     string `yaml:"private_key"`
+}
+
+// newGitHubAppModule parses the config map and returns a githubAppModule.
+func newGitHubAppModule(name string, config map[string]any) (*githubAppModule, error) {
+	var cfg githubAppConfig
+
+	switch v := config["app_id"].(type) {
+	case int:
+		cfg.AppID = int64(v)
+	case int64:
+		cfg.AppID = v
+	case float64:
+		cfg.AppID = int64(v)
+	}
+	if cfg.AppID == 0 {
+		return nil, fmt.Errorf("github.app %q: config.app_id is required", name)
+	}
+
+	switch v := config["installation_id"].(type) {
+	case int:
+		cfg.InstallationID = int64(v)
+	case int64:
+		cfg.InstallationID = v
+	case float64:
+		cfg.InstallationID = int64(v)
+	}
+	if cfg.InstallationID == 0 {
+		return nil, fmt.Errorf("github.app %q: config.installation_id is required", name)
+	}
+
+	cfg.PrivateKey, _ = config["private_key"].(string)
+	cfg.PrivateKey = os.ExpandEnv(cfg.PrivateKey)
+	if cfg.PrivateKey == "" {
+		return nil, fmt.Errorf("github.app %q: config.private_key is required", name)
+	}
+
+	return &githubAppModule{name: name, config: cfg}, nil
+}
+
+// Init is a no-op; the module is ready after construction.
+func (m *githubAppModule) Init() error { return nil }
+
+// Start is a no-op.
+func (m *githubAppModule) Start(_ context.Context) error { return nil }
+
+// Stop is a no-op.
+func (m *githubAppModule) Stop(_ context.Context) error { return nil }
+
+// Name returns the module name.
+func (m *githubAppModule) Name() string { return m.name }
+
+// GetInstallationToken returns a valid GitHub App installation access token,
+// using a cached value if it is still valid (expires in >5 minutes).
+func (m *githubAppModule) GetInstallationToken(ctx context.Context) (string, error) {
+	if m.cachedToken != "" && time.Until(m.tokenExpiry) > 5*time.Minute {
+		return m.cachedToken, nil
+	}
+
+	jwtToken, err := m.generateJWT()
+	if err != nil {
+		return "", fmt.Errorf("generate app JWT: %w", err)
+	}
+
+	client := NewSDKClient(jwtToken)
+	token, _, err := client.GH.Apps.CreateInstallationToken(ctx, m.config.InstallationID, nil)
+	if err != nil {
+		return "", fmt.Errorf("create installation token: %w", err)
+	}
+
+	m.cachedToken = token.GetToken()
+	m.tokenExpiry = token.GetExpiresAt().Time
+	return m.cachedToken, nil
+}
+
+// generateJWT creates a short-lived JWT for GitHub App authentication.
+func (m *githubAppModule) generateJWT() (string, error) {
+	key, err := parseRSAPrivateKey(m.config.PrivateKey)
+	if err != nil {
+		return "", err
+	}
+
+	now := time.Now()
+	claims := jwt.MapClaims{
+		"iat": now.Add(-60 * time.Second).Unix(), // issued 60s ago to handle clock skew
+		"exp": now.Add(10 * time.Minute).Unix(),
+		"iss": m.config.AppID,
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	return token.SignedString(key)
+}
+
+// parseRSAPrivateKey decodes a PEM-encoded RSA private key.
+func parseRSAPrivateKey(pem_encoded string) (*rsa.PrivateKey, error) {
+	block, _ := pem.Decode([]byte(pem_encoded))
+	if block == nil {
+		return nil, fmt.Errorf("failed to decode PEM block for RSA private key")
+	}
+	key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+	if err != nil {
+		// Try PKCS8 format as well.
+		iface, err2 := x509.ParsePKCS8PrivateKey(block.Bytes)
+		if err2 != nil {
+			return nil, fmt.Errorf("parse RSA private key (PKCS1: %v, PKCS8: %v)", err, err2)
+		}
+		rsakey, ok := iface.(*rsa.PrivateKey)
+		if !ok {
+			return nil, fmt.Errorf("private key is not RSA")
+		}
+		return rsakey, nil
+	}
+	return key, nil
+}
+
+// AppTransport implements http.RoundTripper for GitHub App authentication,
+// automatically refreshing the installation token as needed.
+type AppTransport struct {
+	module    *githubAppModule
+	base      http.RoundTripper
+}
+
+// NewAppTransport creates an http.RoundTripper that uses App installation tokens.
+func NewAppTransport(mod *githubAppModule) *AppTransport {
+	return &AppTransport{module: mod, base: http.DefaultTransport}
+}
+
+// RoundTrip injects the installation token into each request.
+func (t *AppTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	token, err := t.module.GetInstallationToken(req.Context())
+	if err != nil {
+		return nil, fmt.Errorf("get installation token: %w", err)
+	}
+	reqCopy := req.Clone(req.Context())
+	reqCopy.Header.Set("Authorization", "Bearer "+token)
+	return t.base.RoundTrip(reqCopy)
+}
+
+// GetSDKClient returns an SDK client authenticated with this App's installation token.
+func (m *githubAppModule) GetSDKClient() *SDKClient {
+	return NewSDKClientFromTransport(NewAppTransport(m))
+}
+
+// Ensure githubAppModule satisfies sdk.ModuleInstance at compile time.
+var _ sdk.ModuleInstance = (*githubAppModule)(nil)

internal/plugin.go

@@ -32,22 +32,27 @@ func NewGitHubPlugin() sdk.PluginProvider {
 func (p *githubPlugin) Manifest() sdk.PluginManifest {
 	return sdk.PluginManifest{
 		Name:        "workflow-plugin-github",
-		Version:     "1.0.0",
+		Version:     "1.0.1",
 		Author:      "GoCodeAlone",
-		Description: "GitHub integration plugin: webhook handling and GitHub Actions workflow management",
+		Description: "GitHub integration plugin: webhook handling, GitHub Actions, PRs, issues, releases, and deployments",
 	}
 }
 
 // ModuleTypes returns the module type names this plugin provides.
 func (p *githubPlugin) ModuleTypes() []string {
-	return []string{"git.webhook"}
+	return []string{
+		"git.webhook",
+		"github.app",
+	}
 }
 
 // CreateModule creates a module instance of the given type.
 func (p *githubPlugin) CreateModule(typeName, name string, config map[string]any) (sdk.ModuleInstance, error) {
 	switch typeName {
 	case "git.webhook":
 		return newWebhookModule(name, config)
+	case "github.app":
+		return newGitHubAppModule(name, config)
 	default:
 		return nil, fmt.Errorf("github plugin: unknown module type %q", typeName)
 	}
@@ -56,9 +61,28 @@ func (p *githubPlugin) CreateModule(typeName, name string, config map[string]any
 // StepTypes returns the step type names this plugin provides.
 func (p *githubPlugin) StepTypes() []string {
 	return []string{
+		// Existing steps
 		"step.gh_action_trigger",
 		"step.gh_action_status",
 		"step.gh_create_check",
+		// Pull request steps
+		"step.gh_pr_create",
+		"step.gh_pr_merge",
+		"step.gh_pr_comment",
+		"step.gh_pr_review",
+		// Issue steps
+		"step.gh_issue_create",
+		"step.gh_issue_close",
+		"step.gh_issue_label",
+		// Release steps
+		"step.gh_release_create",
+		"step.gh_release_upload",
+		// Repository steps
+		"step.gh_repo_dispatch",
+		"step.gh_deployment_create",
+		"step.gh_secret_set",
+		// GraphQL
+		"step.gh_graphql",
 	}
 }
 
@@ -71,6 +95,32 @@ func (p *githubPlugin) CreateStep(typeName, name string, config map[string]any)
 		return newActionStatusStep(name, config, nil)
 	case "step.gh_create_check":
 		return newCreateCheckStep(name, config, nil)
+	case "step.gh_pr_create":
+		return newPRCreateStep(name, config)
+	case "step.gh_pr_merge":
+		return newPRMergeStep(name, config)
+	case "step.gh_pr_comment":
+		return newPRCommentStep(name, config)
+	case "step.gh_pr_review":
+		return newPRReviewStep(name, config)
+	case "step.gh_issue_create":
+		return newIssueCreateStep(name, config)
+	case "step.gh_issue_close":
+		return newIssueCloseStep(name, config)
+	case "step.gh_issue_label":
+		return newIssueLabelStep(name, config)
+	case "step.gh_release_create":
+		return newReleaseCreateStep(name, config)
+	case "step.gh_release_upload":
+		return newReleaseUploadStep(name, config)
+	case "step.gh_repo_dispatch":
+		return newRepoDispatchStep(name, config)
+	case "step.gh_deployment_create":
+		return newDeploymentCreateStep(name, config)
+	case "step.gh_secret_set":
+		return newSecretSetStep(name, config)
+	case "step.gh_graphql":
+		return newGraphQLStep(name, config)
 	default:
 		return nil, fmt.Errorf("github plugin: unknown step type %q", typeName)
 	}