feat: GitHub App token refresh (#8746)

* feat(github): auto-refresh GitHub App installation tokens

Add transport-level token refresh for GitHub App (AppKey) connections.
GitHub App installation tokens expire after ~1 hour; this adds proactive
refresh (before expiry) and reactive refresh (on 401) using the existing
TokenProvider/RefreshRoundTripper infrastructure.

New files:
- app_installation_refresh.go: refresh logic + DB persistence
- refresh_api_client.go: minimal ApiClient for token refresh POST
- cmd/test_refresh/main.go: manual test script for real GitHub Apps

Modified:
- connection.go: export GetInstallationAccessToken, parse ExpiresAt
- token_provider.go: add refreshFn for pluggable refresh strategies
- round_tripper.go: document dual Authorization header interaction
- api_client.go: wire AppKey connections into refresh infrastructure
- Tests updated for new constructors and AppKey refresh flow

* feat(github): add diagnostic logging to GitHub App token refresh

Add structured logging at key decision points for token refresh:
- Token provider creation (connection ID, installation ID, expiry)
- Round tripper installation (connection ID, auth method)
- Proactive refresh trigger (near-expiry detection)
- Refresh start/success/failure (old/new token prefixes, expiry times)
- DB persistence success/failure
- Reactive 401 refresh and skip-due-to-concurrent-refresh

All logs route through the DevLake logger to pipeline log files.

* fix(github): prevent deadlock and fix token persistence in App token refresh

Deadlock fix: NewAppInstallationTokenProvider now captures client.Transport
(the base transport) before wrapping with RefreshRoundTripper. The refresh
function uses newRefreshApiClientWithTransport(baseTransport) to POST for
new installation tokens, bypassing the RefreshRoundTripper entirely.

Token persistence fix: PersistEncryptedTokenColumns() manually encrypts
tokens via plugin.Encrypt() then writes ciphertext via dal.UpdateColumns
with conn.TableName() (a string) as the first argument. Passing the table
name string makes GORM use Table() instead of Model(), preventing the
encdec serializer from corrupting the in-memory token value. The encryption
secret is threaded from taskCtx.GetConfig(ENCRYPTION_SECRET) through
CreateApiClient to TokenProvider to persist functions.

Also persists the initial App token at startup for DB consistency, and
adds TestProactiveRefreshNoDeadlock with a real RSA key to verify the
deadlock scenario is resolved.

* fix(grafana): update dashboard descriptions to list all supported data sources (#8741)

Several dashboard introduction panels hardcoded "GitHub and Jira" as
required data sources, even though the underlying queries use generic
domain layer tables that work with any supported Git tool or issue
tracker. Updated to list all supported sources following the pattern
already used by DORA and WorkLogs dashboards.

Closes #8740

Co-authored-by: Spiff Azeta <spiffazeta@gmail.com>

* fix: modify cicd_deployments name from varchar to text (#8724)

* fix: modify cicd_deployments name from varchar to text

* fix: update the year

* fix(q_dev): replace MariaDB-specific IF NOT EXISTS syntax with DAL methods for MySQL 8.x compatibility (#8745)

* fix(azuredevops): default empty entities and add CROSS to repo scope in makeScopeV200 (#8751)

When scopeConfig.Entities is empty (common when no entities are
explicitly selected in the UI), makeScopeV200 produced zero scopes,
leaving project_mapping with no rows. Additionally, the repo scope
condition did not check for DOMAIN_TYPE_CROSS, so selecting only
CROSS would not create a repo scope, breaking DORA metrics.

This adds the same fixes applied to GitLab in #8743.

Closes #8749

* fix(bitbucket): default empty entities to all domain types in makeScopesV200 (#8750)

When scopeConfig.Entities is empty (common when no entities are
explicitly selected in the UI), makeScopesV200 produced zero scopes,
leaving project_mapping with no repo rows. This adds the same
empty-entities default applied to GitLab in #8743.

Closes #8748

* fix(github): remove unused refresh client constructor and update tests

---------

Co-authored-by: Spiff Azeta <35563797+spiffaz@users.noreply.github.com>
Co-authored-by: Spiff Azeta <spiffazeta@gmail.com>
Co-authored-by: Dan Crews <crewsd@gmail.com>
Co-authored-by: Tomoya Kawaguchi <68677002+yamoyamoto@users.noreply.github.com>

Author: 5 people

backend/plugins/github/models/connection.go

@@ -81,13 +81,15 @@ func (conn *GithubConn) PrepareApiClient(apiClient plugin.ApiClient) errors.Erro
 	}
 
 	if conn.AuthMethod == AppKey && conn.InstallationID != 0 {
-		token, err := conn.getInstallationAccessToken(apiClient)
+		token, err := conn.GetInstallationAccessToken(apiClient)
 		if err != nil {
 			return err
 		}
-
-		conn.Token = token.Token
-		conn.tokens = []string{token.Token}
+		var expiresAt *time.Time
+		if !token.ExpiresAt.IsZero() {
+			expiresAt = &token.ExpiresAt
+		}
+		conn.UpdateToken(token.Token, "", expiresAt, nil)
 	}
 
 	return nil
@@ -354,7 +356,8 @@ type GithubUserOfToken struct {
 }
 
 type InstallationToken struct {
-	Token string `json:"token"`
+	Token     string    `json:"token"`
+	ExpiresAt time.Time `json:"expires_at"`
 }
 
 type GithubApp struct {
@@ -397,7 +400,7 @@ func (gak *GithubAppKey) CreateJwt() (string, errors.Error) {
 	return tokenString, nil
 }
 
-func (gak *GithubAppKey) getInstallationAccessToken(
+func (gak *GithubAppKey) GetInstallationAccessToken(
 	apiClient plugin.ApiClient,
 ) (*InstallationToken, errors.Error) {
 
@@ -417,12 +420,18 @@ func (gak *GithubAppKey) getInstallationAccessToken(
 	if err != nil {
 		return nil, err
 	}
+	if resp.StatusCode != http.StatusCreated && resp.StatusCode != http.StatusOK {
+		return nil, errors.HttpStatus(resp.StatusCode).New(fmt.Sprintf("unexpected status code while getting installation access token: %s", string(body)))
+	}
 
 	var installationToken InstallationToken
 	err = errors.Convert(json.Unmarshal(body, &installationToken))
 	if err != nil {
 		return nil, err
 	}
+	if installationToken.Token == "" {
+		return nil, errors.Default.New("empty installation access token returned")
+	}
 
 	return &installationToken, nil
 }

backend/plugins/github/tasks/api_client.go

@@ -35,14 +35,18 @@ func CreateApiClient(taskCtx plugin.TaskContext, connection *models.GithubConnec
 		return nil, err
 	}
 
-	// Inject TokenProvider if refresh token is present
-	if connection.RefreshToken != "" {
-		logger := taskCtx.GetLogger()
-		db := taskCtx.GetDal()
-
-		// Create TokenProvider
-		tp := token.NewTokenProvider(connection, db, apiClient.GetClient(), logger)
+	logger := taskCtx.GetLogger()
+	db := taskCtx.GetDal()
+	encryptionSecret := taskCtx.GetConfig(plugin.EncodeKeyEnvStr)
 
+	// Inject TokenProvider for OAuth refresh or GitHub App installation tokens.
+	var tp *token.TokenProvider
+	if connection.RefreshToken != "" {
+		tp = token.NewTokenProvider(connection, db, apiClient.GetClient(), logger, encryptionSecret)
+	} else if connection.AuthMethod == models.AppKey && connection.InstallationID != 0 {
+		tp = token.NewAppInstallationTokenProvider(connection, db, apiClient.GetClient(), logger, encryptionSecret)
+	}
+	if tp != nil {
 		// Wrap the transport
 		baseTransport := apiClient.GetClient().Transport
 		if baseTransport == nil {
@@ -51,6 +55,20 @@ func CreateApiClient(taskCtx plugin.TaskContext, connection *models.GithubConnec
 
 		rt := token.NewRefreshRoundTripper(baseTransport, tp)
 		apiClient.GetClient().Transport = rt
+		logger.Info("Installed token refresh round tripper for connection %d (authMethod=%s)",
+			connection.ID, connection.AuthMethod)
+	}
+
+	// Persist the freshly minted token so the DB has a correctly encrypted value.
+	// PrepareApiClient (called by NewApiClientFromConnection) mints the token
+	// in-memory but does not persist it; without this, the DB may contain a stale
+	// or corrupted token that breaks GET /connections.
+	if connection.AuthMethod == models.AppKey && connection.Token != "" {
+		if err := token.PersistEncryptedTokenColumns(db, connection, encryptionSecret, logger, false); err != nil {
+			logger.Warn(err, "Failed to persist initial token for connection %d", connection.ID)
+		} else {
+			logger.Info("Persisted initial token for connection %d", connection.ID)
+		}
 	}
 
 	// create rate limit calculator

backend/plugins/github/token/app_installation_refresh.go

@@ -0,0 +1,152 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package token
+
+import (
+	"time"
+
+	"github.com/apache/incubator-devlake/core/dal"
+	"github.com/apache/incubator-devlake/core/errors"
+	"github.com/apache/incubator-devlake/core/log"
+	"github.com/apache/incubator-devlake/core/plugin"
+	"github.com/apache/incubator-devlake/plugins/github/models"
+)
+
+// tokenPrefix returns the first n characters of a token for safe logging.
+func tokenPrefix(token string, n int) string {
+	if len(token) <= n {
+		return token
+	}
+	return token[:n] + "..."
+}
+
+func refreshGitHubAppInstallationToken(tp *TokenProvider) errors.Error {
+	if tp == nil || tp.conn == nil {
+		return errors.Default.New("missing github connection for app token refresh")
+	}
+	if tp.conn.AuthMethod != models.AppKey || tp.conn.InstallationID == 0 {
+		return errors.Default.New("invalid github app connection for token refresh")
+	}
+	if tp.conn.Endpoint == "" {
+		return errors.Default.New("missing github endpoint for token refresh")
+	}
+
+	oldToken := tp.conn.Token
+	if tp.logger != nil {
+		expiresStr := "unknown"
+		if tp.conn.TokenExpiresAt != nil {
+			expiresStr = tp.conn.TokenExpiresAt.Format(time.RFC3339)
+		}
+		tp.logger.Info(
+			"Refreshing GitHub App installation token for connection %d (installation %d), old token=%s, expires_at=%s",
+			tp.conn.ID, tp.conn.InstallationID,
+			tokenPrefix(oldToken, 8),
+			expiresStr,
+		)
+	}
+
+	// Use baseTransport (the unwrapped transport) to avoid deadlock.
+	// The httpClient's transport may be the RefreshRoundTripper which would
+	// re-enter GetToken() and deadlock on the mutex.
+	apiClient := newRefreshApiClientWithTransport(tp.conn.Endpoint, tp.baseTransport)
+	installationToken, err := tp.conn.GithubAppKey.GetInstallationAccessToken(apiClient)
+	if err != nil {
+		if tp.logger != nil {
+			tp.logger.Error(err, "Failed to refresh GitHub App installation token for connection %d", tp.conn.ID)
+		}
+		return err
+	}
+
+	var expiresAt *time.Time
+	if !installationToken.ExpiresAt.IsZero() {
+		expiresAt = &installationToken.ExpiresAt
+	}
+	tp.conn.UpdateToken(installationToken.Token, "", expiresAt, nil)
+
+	if tp.logger != nil {
+		tp.logger.Info(
+			"Successfully refreshed GitHub App installation token for connection %d, new token=%s, new expires_at=%s",
+			tp.conn.ID,
+			tokenPrefix(installationToken.Token, 8),
+			installationToken.ExpiresAt.Format(time.RFC3339),
+		)
+	}
+
+	persistAppToken(tp.dal, tp.conn, tp.encryptionSecret, tp.logger)
+	return nil
+}
+
+func persistAppToken(d dal.Dal, conn *models.GithubConnection, encryptionSecret string, logger log.Logger) {
+	if d == nil || conn == nil {
+		return
+	}
+	if err := PersistEncryptedTokenColumns(d, conn, encryptionSecret, logger, false); err != nil {
+		if logger != nil {
+			logger.Warn(err, "Failed to persist refreshed app installation token for connection %d", conn.ID)
+		}
+	} else if logger != nil {
+		logger.Info("Persisted refreshed app installation token for connection %d", conn.ID)
+	}
+}
+
+// PersistEncryptedTokenColumns manually encrypts token fields and writes them
+// to the DB using UpdateColumns (map-based), which only touches the specified
+// columns. This avoids two problems:
+//   - dal.Update (GORM Save) writes ALL fields, including refresh_token_expires_at
+//     which may have Go zero time that MySQL rejects as '0000-00-00'.
+//   - dal.UpdateColumns with plaintext bypasses the GORM encdec serializer,
+//     writing unencrypted tokens that corrupt subsequent reads.
+//
+// IMPORTANT: We pass the table name string (not the conn struct) to UpdateColumns
+// so that GORM uses Table() instead of Model(). When Model(conn) is used, GORM
+// processes the encdec serializer on the struct's Token field during statement
+// preparation, which overwrites conn.Token in memory with the encrypted ciphertext.
+// This corrupts the in-memory token causing immediate 401s on the next API call.
+//
+// If includeRefreshToken is true, refresh_token and refresh_token_expires_at
+// are also written (used by the OAuth refresh path where these values are valid).
+func PersistEncryptedTokenColumns(d dal.Dal, conn *models.GithubConnection, encryptionSecret string, logger log.Logger, includeRefreshToken bool) errors.Error {
+	encToken, err := plugin.Encrypt(encryptionSecret, conn.Token)
+	if err != nil {
+		return errors.Default.Wrap(err, "failed to encrypt token for persistence")
+	}
+
+	sets := []dal.DalSet{
+		{ColumnName: "token", Value: encToken},
+		{ColumnName: "token_expires_at", Value: conn.TokenExpiresAt},
+	}
+
+	if includeRefreshToken {
+		encRefreshToken, err := plugin.Encrypt(encryptionSecret, conn.RefreshToken)
+		if err != nil {
+			return errors.Default.Wrap(err, "failed to encrypt refresh_token for persistence")
+		}
+		sets = append(sets,
+			dal.DalSet{ColumnName: "refresh_token", Value: encRefreshToken},
+			dal.DalSet{ColumnName: "refresh_token_expires_at", Value: conn.RefreshTokenExpiresAt},
+		)
+	}
+
+	// Use the table name string instead of the conn struct to prevent GORM from
+	// running the encdec serializer on conn.Token during Model() processing.
+	return d.UpdateColumns(
+		conn.TableName(),
+		sets,
+		dal.Where("id = ?", conn.ID),
+	)
+}