Hi! Unfortunately there is currently no way to do so. That would be an interesting feature to add!

You can do this by using the GitHub CLI (gh) to authenticate. To do this, leave the provider "github" block empty. Then, make sure you have your local credentials configured by doing gh auth login. In your CI you will need to generate an app installation token from the app's private key. The following is an example if you are using GitHub Actions:

name: CI
on:
  push:
    branches: [main]
jobs:
  apply:
    name: TF Apply
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
      - name: Generate app token
        id: generate-app-token
        uses: tibdex/github-app-token@v1.9.0
        with:
          app_id: ${{ vars.YOUR_APP_ID }}
          private_key: ${{ secrets.YOUR_APP_PRIVATE_KEY }}
      - name: Terraform apply
        env:
          GITHUB_TOKEN: ${{ steps.generate-app-token.outputs.token }}
        run: terraform apply -auto-approve

Using the app installation token directly is a good workaround when you run Terraform from GitHub actions, but what about using it from Atlantis? Installation token is short-lived, so it can't be used in Atlantis as a static secret, but providing app credentials instead requires having app_auth {} in the code.

A potential solution here without breaking the existing interface or adding new functionality might be to look for app env vars even when there is no empty app_auth {} block, i.e.

provider "github" {}

1. First looks for the GITHUB_TOKEN env var or credentials set by gh auth login as it does now, so existing workflows don't break
2. Then it could check for the GITHUB_APP_ID+GITHUB_APP_INSTALLATION_ID+GITHUB_APP_PEM_FILE trio to use the app authentication (which would work in CI and Atlantis)

I see the docs say

When using environment variables, an empty app_auth block is required to allow provider configurations from environment variables to be specified. See: hashicorp/terraform-plugin-sdk#142

But I don't quite understand the linked issue. How does it work with an empty provider "github" {} and the GITHUB_TOKEN env var, but doesn't work with the three app env vars?
But I think it's still achievable via introduction of new parameters (making the app_auth block redundant)

P.S. Also having empty app_auth {} fails validation:

│ Error: Missing required argument
│ 
│   on provider.tf line 22, in provider "github":
│   22:   app_auth {}
│ 
│ The argument "pem_file" is required, but no definition was found.

Hello, is there an update on this ?

Hi! Unfortunately there is currently no way to do so. That would be an interesting feature to add!

Hello, do you know there has been any progress made on this issue ?

I took a stab at it in #2174

Any feedback and help are appreciated!