Open jamesgeddes opened 3 months ago
Interestingly, explicitly generating the JWT and IAT, without using actions/create-github-app-token
does work.
- name: Generate JWT
run: |
set -o pipefail
app_id=${{ secrets.GEDBOT_APP_ID }} # App ID as first argument
pem="${{ secrets.GEDBOT_APP_PEM_FILE }}" # file path of the private key as second argument
now=$(date +%s)
iat=$((${now} - 60)) # Issues 60 seconds in the past
exp=$((${now} + 600)) # Expires 10 minutes in the future
b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
header_json='{
"typ":"JWT",
"alg":"RS256"
}'
# Header encode
header=$( echo -n "${header_json}" | b64enc )
payload_json='{
"iat":'"${iat}"',
"exp":'"${exp}"',
"iss":'"${app_id}"'
}'
# Payload encode
payload=$( echo -n "${payload_json}" | b64enc )
# Signature
header_payload="${header}"."${payload}"
signature=$(
openssl dgst -sha256 -sign <(echo -n "${pem}") \
<(echo -n "${header_payload}") | b64enc
)
# Create JWT
JWT="${header_payload}"."${signature}" >> $GITHUB_ENV
printf '%s\n' "JWT: $JWT"
echo "JWT=$JWT" >> $GITHUB_ENV
- name: set_IAT
run: |
jq --version
echo "JWT=$JWT"
IAT_RESPONSE=$(curl --request POST \
--url "https://api.github.com/app/installations/$GITHUB_APP_INSTALLATION_ID/access_tokens" \
--header "Accept: application/vnd.github+json" \
--header "Authorization: Bearer ${{ env.JWT }}" \
--header "X-GitHub-Api-Version: 2022-11-28")
echo "IAT_RESPONSE=$IAT_RESPONSE"
IAT=$(echo $IAT_RESPONSE | jq '.token')
printf '%s\n' "IAT: $IAT"
echo "IAT=$IAT" >> $GITHUB_ENV
- name: get_response
run: |
echo $IAT
response=$(curl --request GET \
--url "https://api.github.com/repos/geddesfamily/estate-config/branches" \
--header "Accept: application/vnd.github+json" \
--header "Authorization: Bearer ${{ env.IAT }}" \
--header "X-GitHub-Api-Version: 2022-11-28")
echo "response=$response"
returns
Run echo $IAT
"***"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 255 100 255 0 0 765 0 --:--:-- --:--:-- --:--:-- 765
response=[
{
"name": "main",
"commit": {
"sha": "[a wonderful sha]",
"url": "https://api.github.com/repos/geddesfamily/estate-config/commits/[a wonderful sha]"
},
"protected": false
}
]
Ultimately, I am trying to commit to a repo as the GitHub app, so any suggestions would be appreciated.
I have been able to commit to the other repo by explicitly generating the JWT and IAT. Would be good if this was possible in the create-github-app-token action.
be default, the token created with actions/create-github-app-token
has only access to the repository it is running in. If you need to give it access to other repositories, see the usage examples like https://github.com/actions/create-github-app-token?tab=readme-ov-file#create-a-token-for-all-repositories-in-the-current-owners-installation and below
The only permission you need to check out a repository is contents:write
. Note that if you add that permission after the app is installed, you will need to accept the new permissions in the installation settings.
Repost from Community Discussion:
It seems you have 3 processes going on within the call_api
job:
checkout
, ie you are authenticating git CLIcurl
, ie you are authenticating HTTP requestgh api
GitHub CLI without authenticating at allUnsure why you need to do a curl
, but for gh api
to work, you need to authenticate with gh auth login
first.
@jamesgeddes I'm having the same issue at here, I've tried to set the owners and repositories parameters for the action, add all the correct permissions to the app and even with that nothing works, I've used your approach and it worked like a charm, thanks for that. Definitely there is some issue or miss using by our end at here, I took a fast look in how the action is implemented and nothing seemed wrong by my eyes, I will try to save some time this week to debug this properly, just FYI, my case is very simple, I'm trying to trigger a workflow in another repository, so I created an APP for my ORG to provide the necessary credentials to do that.
Hi All,
I am setting up a github bot for use with github actions, but it cannot access the repos API endpoint.
Here are the permissions that the bot is set to (way too permissive, I know, but I am just testing).
Here is my test action workflow
I can confirm that
geddesfamily/estate-config
does exist.This returns
I feel like this covers all bases to mitigate the risk of the problem being cause by my idiocy, however it is always a possibility!
Is this a bug in the token gen step?