-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
92 lines (87 loc) · 3.42 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
name: Fetch GitHub App Installation Access Token
description: "Fetches an installation access token for a GitHub App, that can be used to clone private repositories."
author: "Lobaro GmbH"
inputs:
app-id:
description: GitHub App ID
required: true
private-key:
description: Private key for the GitHub App
required: true
repo:
description: Override GITHUB_REPOSITORY when creating the installation ID
required: false
default: ${{ github.repository }}
outputs:
token:
description: Installation access token for the GitHub App
value: ${{ steps.installation-token.outputs.token }}
runs:
using: composite
steps:
- name: "Install Python JWT package"
# Install Python JWT package
shell: bash
run: |
echo "-- Install Python JWT package"
pip install --user jwt || exit 1
- name: "Generate App JWT"
# Generate a JWT token signed by the GitHub App, that can be used to call the GitHub API
shell: python
id: app-token
run: |
#!/usr/bin/env python3
import jwt
import time
import sys
import os
# GitHub App's ID and private key are given as parameters to this action
app_id = "${{ inputs.app-id }}"
pem = b"""${{ inputs.private-key }}"""
if not app_id or not pem:
print("Missing app-id or pem")
github_output = os.environ["GITHUB_OUTPUT"]
with open(github_output, "a") as f:
f.write(f"token=none\n")
exit(1)
signing_key = jwt.jwk_from_pem(pem)
payload = {
# Issued at time
'iat': int(time.time()),
# JWT expiration time (10 minutes maximum)
# 2 minutes should be enough, it is only used in the next step
'exp': int(time.time()) + 120,
# GitHub App's identifier
'iss': app_id
}
# Create JWT
jwt_instance = jwt.JWT()
encoded_jwt = jwt_instance.encode(payload, signing_key, alg='RS256')
github_output = os.environ["GITHUB_OUTPUT"]
with open(github_output, "a") as f:
f.write(f"token={encoded_jwt}\n")
- name: "Generate Access Token"
# Use the App JWT to generate an installation access token:
shell: bash
id: installation-token
run: |
repo=${{ inputs.repo }}
# Get installation ID (where the App is installed for the Repository):
response=$(curl -s -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/${repo}/installation")
installation_id=$(echo "$response" | jq -r .id)
if [ "$installation_id" = "null" ]; then
echo "Unable to get installation ID. Is the GitHub App installed on ${repo}?"
echo "$response" | jq -r .message
exit 1
fi
echo "Installation ID: $installation_id"
# Fetch a new access token from the GitHub API:
token=$(curl -s -X POST \
-H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/app/installations/"${installation_id}"/access_tokens | jq -r .token)
if [ "$token" = "null" ]; then
echo "Unable to generate installation access token"
exit 1
fi
echo "token=${token}" >> "$GITHUB_OUTPUT"