fix: cast gh_app_id to string for JWT encoding compatibility#510
Merged
fix: cast gh_app_id to string for JWT encoding compatibility#510
Conversation
Relates to #508 ## What Cast gh_app_id to str() when passing it to login_as_app_installation, which internally calls jwt.encode expecting the iss claim to be a string. Updated tests to pass integer app IDs and assert the string conversion occurs. ## Why Since v2.0.0, GitHub App authentication fails with "TypeError: Issuer (iss) must be a string" because newer versions of PyJWT enforce that the iss claim is a string, but gh_app_id was being passed as an integer. ## Notes - Tests now use assert_called_once_with instead of assert_called_once to verify the exact arguments, preventing this class of regression - Test inputs changed from strings to integers to mirror real-world usage where env vars are parsed as ints Signed-off-by: jmeridth <jmeridth@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes GitHub App authentication failures caused by newer PyJWT versions enforcing the JWT iss claim to be a string, by ensuring the GitHub App ID is stringified before passing it into github3.py app-login flows.
Changes:
- Cast
gh_app_idtostrwhen callinggh.login_as_app_installation(...)inauth_to_github. - Update app-auth tests to pass integer IDs and assert the exact arguments used in the app-login call.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| auth.py | String-casts gh_app_id for login_as_app_installation compatibility with stricter JWT encoding. |
| test_auth.py | Adjusts tests to use integer IDs and verify the exact call signature/arguments. |
Signed-off-by: jmeridth <jmeridth@gmail.com>
zkoppert
reviewed
Mar 19, 2026
Collaborator
There was a problem hiding this comment.
Nice catch on the str(gh_app_id) fix in auth_to_github - we've also got the same problem one step later. In evergreen.py lines 64-65, gh_app_id is still being passed as an int to get_github_app_installation_token, which passes it straight to github3.apps.create_jwt_headers on auth.py line 71. PyJWT 2.x will throw TypeError: Issuer (iss) must be a string there too.
# Current:
token = auth.get_github_app_installation_token(
ghe, gh_app_id, gh_app_private_key, gh_app_installation_id
)
# Should be:
token = auth.get_github_app_installation_token(
ghe, str(gh_app_id), gh_app_private_key, gh_app_installation_id
)
## What Extended the str(gh_app_id) cast to get_github_app_installation_token, which passes gh_app_id directly to github3.apps.create_jwt_headers. Updated type hints to int | None to match what get_int_env_var returns. ## Why The existing fix only covered auth_to_github but missed the second code path through get_github_app_installation_token, which would still hit PyJWT's "Issuer (iss) must be a string" TypeError at runtime. ## Notes - The str() cast happens inside get_github_app_installation_token rather than at the call site in evergreen.py, keeping the function defensive regardless of caller. Signed-off-by: jmeridth <jmeridth@gmail.com>
zkoppert
approved these changes
Mar 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #508
What
Cast gh_app_id to str() when passing it to login_as_app_installation, which internally calls jwt.encode expecting the iss claim to be a string. Updated tests to pass integer app IDs and assert the string conversion occurs.
Why
Since v2.0.0, GitHub App authentication fails with "TypeError: Issuer (iss) must be a string" because newer versions of PyJWT enforce that the iss claim is a string, but gh_app_id was being passed as an integer.
Notes