Github apps token should be automatically refreshed

[MarcosCela]

Describe the bug

Currently, when we authenticate GitHub as an application, as per the official documentation:

• github-api: https://github-api.kohsuke.org/githubappappinsttokenauth.html

Example code:

GitHub gh = new GitHubBuilder().withJwtToken(jwtToken).build();
GHAppInstallation installation = gh.getApp().getInstallationByOrganization("myorg");
GHAppInstallationToken ghAppInstallationToken = installation.createToken().create();
// At this point, ghAppInstallationToken should be valid to authenticate as an app
// installation for a given organization. The problem is that it will eventually expire
// in ~1hour
return new GitHubBuilder()
.withAppInstallationToken(ghAppInstallationToken.getToken())
.withJwtToken(jwtToken)
.withConnector(connector)
.build();

The problem with this is that the token is only valid for a while (1 hour in my tests),
and we would need to update it depending on the expiration time that can
be obtained in:

 ghAppInstallationToken.getExpiresAt();

To Reproduce

Create a GitHub application, and perform an installation. Obtain the application installation token,
and use it. Approximately 1 hour later (for my manual tests) the token will expire and it will be
no longer valid.

Expected behavior

Once the GitHub builder /GitHub object is configured with a valid token, it should
automatically refresh the Token. Alternatively, a refresh mechanism should be provided
to manually refresh credentials.

Discussion

• Should the library provide a way of manually refreshing the Token, or instead automatically refresh it?

I can take care of this once we achieve some basic points of what would be the ideal outcome.

[bitwiseman]

@MarcosCela
Automatic refresh would be nice for most users. This could be done similar to RateLimitCheckers. Instead of accepting a jwtToken we could accept a CredentialProvider. Before each call to the server, the GitHubClient would ask the provider for a token, and provider would provide a current token, updating as needed.

The manual update case could be supported by having CredentialProvider have a public refresh() method that would let the caller force a refresh. Maybe also an overload refresh(TimeSpan) to allow refreshing if the token is older than a specific age. See https://github.com/bitwiseman/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java and jenkinsci/github-branch-source-plugin#326 for some ideas/starting points.

I look forward to seeing you PR. Ping if you have any questions.

[MarcosCela]

Officially started working on this, will be opening a draft PR as soon as it makes sense to review anything!

[bitwiseman]

Published in v1.122. Congrats and thanks, @MarcosCela !

Already being used by the Jenkins github-branch-source-plugin.

[MarcosCela]

Thank you too for your valuable input and support on the issue, we have also been using this and no problems have been found (yet :p).