github-app-token-action/action.yml at main · zeroseven/github-app-token-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: 'GitHub App Token'
description: 'Generate an installation access token for a GitHub App'
inputs:
  app-id:
    description: 'GitHub App ID'
    required: true
  installation-id:
    description: 'GitHub App Installation ID'
    required: true
  app-private-key:
    description: 'GitHub App Private Key'
    required: true
outputs:
  token:
    description: 'The generated installation access token'
    value: ${{ steps.generate-token.outputs.token }}

runs:
  using: 'composite'
  steps:
    - name: Install required tools
      shell: sh
      run: |
        if ! command -v curl >/dev/null 2>&1 || ! command -v jq >/dev/null 2>&1 || ! command -v openssl >/dev/null 2>&1; then
          apk add --no-cache curl jq openssl 2>/dev/null || \
          apt-get update && apt-get install -y curl jq openssl 2>/dev/null || \
          yum install -y curl jq openssl 2>/dev/null || true
        fi

    - name: Generate token
      id: generate-token
      shell: sh
      env:
        APP_ID: ${{ inputs.app-id }}
        INSTALLATION_ID: ${{ inputs.installation-id }}
        APP_PRIVATE_KEY: ${{ inputs.app-private-key }}
      run: |
        set -eu

        now=$(date +%s)
        iat=$((now - 60))
        exp=$((now + 540))

        # Write key to file
        key_file="$(mktemp)"
        printf '%s' "$APP_PRIVATE_KEY" > "$key_file"

        b64url() { openssl base64 -A | tr '+/' '-_' | tr -d '='; }

        header='{"alg":"RS256","typ":"JWT"}'
        payload="$(printf '{"iat":%s,"exp":%s,"iss":"%s"}' "$iat" "$exp" "$APP_ID")"

        unsigned="$(printf '%s' "$header" | b64url).$(printf '%s' "$payload" | b64url)"
        signature="$(printf '%s' "$unsigned" | openssl dgst -sha256 -sign "$key_file" | b64url)"
        jwt="$unsigned.$signature"

        rm -f "$key_file"

        token_json="$(curl -fsSL -X POST \
          -H "Authorization: Bearer $jwt" \
          -H "Accept: application/vnd.github+json" \
          "https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens")"

        token="$(printf '%s' "$token_json" | jq -r '.token')"

        if [ -z "$token" ] || [ "$token" = "null" ]; then
          echo "Failed to create installation token. Response:"
          echo "$token_json"
          exit 1
        fi

        echo "token=$token" >> "$GITHUB_OUTPUT"