search

actions / create-github-app-token

GitHub Action for creating a GitHub App Installation Access Token
https://github.com/marketplace/actions/create-github-app-token
MIT License
321 stars 46 forks source link

`A JSON web token could not be decoded` error when running action #153

Open avsaase opened 3 weeks ago

avsaase commented 3 weeks ago

Hi, I get this error when running the action:

Run actions/create-github-app-token@v1
  with:
    app-id: ***
    private-key: ***
    github-api-url: https://api.github.com/
owner and repositories not set, creating token for the current repository ("fusion-imu")
Failed to create token for "fusion-imu" (attempt 1): A JSON web token could not be decoded - https://docs.github.com/rest
Failed to create token for "fusion-imu" (attempt 2): A JSON web token could not be decoded - https://docs.github.com/rest
Failed to create token for "fusion-imu" (attempt 3): A JSON web token could not be decoded - https://docs.github.com/rest
Failed to create token for "fusion-imu" (attempt 4): A JSON web token could not be decoded - https://docs.github.com/rest
RequestError [HttpError]: A JSON web token could not be decoded - https://docs.github.com/rest
    at /home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:37050:21
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async hook4 (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39454:18)
    at async getTokenFromRepository (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39768:20)
    at async RetryOperation._fn (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39645:24) {
  status: 401,
  request: {
    method: 'GET',
    url: 'https://api.github.com/repos/avsaase/fusion-imu/installation',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'actions/create-github-app-token',
      authorization: 'bearer [REDACTED]'
    },
    request: { hook: [Function: bound hook4] AsyncFunction }
Error: A JSON web token could not be decoded - https://docs.github.com/rest
  },
  response: {
    url: 'https://api.github.com/repos/avsaase/fusion-imu/installation',
    status: 401,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      'content-length': '117',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Wed, 03 Jul 2024 22:33:58 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'github.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': 'E906:311D5D:2A7971:4ADA68:6685D1D2',
      'x-xss-protection': '0'
    },
    data: {
      message: 'A JSON web token could not be decoded',
      documentation_url: 'https://docs.github.com/rest',
      status: '401'
    }
  },
  attemptNumber: 4,
  retriesLeft: 0
}

In my workflow file I have

- name: Generate GitHub token
  uses: actions/create-github-app-token@v1
  id: generate-token
  with:
    app-id: ${{ secrets.APP_ID }}
    private-key: ${{ secrets.APP_PRIVATE_KEY }}

(full workflow file)

The corresponding app id and private key are set as secrets in my repository. The private key is copy-pasted directly from the .pem file that downloads when creating a private key.

The app is installed image

Did I do something wrong or is this a bug? Thanks.

gr2m commented 3 weeks ago

The error is not very helpful, but it usually means that the private key is somehow not formatted correctly or invalid.

avsaase commented 3 weeks ago

What is the correct format? I tried both with and without the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines but with no success,

avsaase commented 3 weeks ago

I just tried it again with those line removed and then the output becomes:

Failed to create token for "fusion-imu" (attempt 2): Invalid keyData
Failed to create token for "fusion-imu" (attempt 3): Invalid keyData
Failed to create token for "fusion-imu" (attempt 4): Invalid keyData
DOMException [DataError]: Invalid keyData
    at Object.rsaImportKey (node:internal/crypto/rsa:235:15)
    at SubtleCrypto.importKey (node:internal/crypto/webcrypto:615:10)
    ... 6 lines matching cause stack trace ...
    at /home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39717:71
Error: Invalid keyData
    at RetryOperation._fn (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39645:30) {
  attemptNumber: 4,
  retriesLeft: 0,
  [cause]: Error: error:0680007B:asn1 encoding routines::header too long
      at createPrivateKey (node:internal/crypto/keys:632:12)
      at Object.rsaImportKey (node:internal/crypto/rsa:229:21)
      at SubtleCrypto.importKey (node:internal/crypto/webcrypto:615:10)
      at getToken (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:37839:56)
      at githubAppJwt (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:37872:23)
      at getAppAuthentication (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39166:37)
      at hook4 (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39450:37)
      at newApi (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:37130:36)
      at getTokenFromRepository (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39768:26)
      at /home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39717:71 {
    library: 'asn1 encoding routines',
    reason: 'header too long',
    code: 'ERR_OSSL_ASN1_HEADER_TOO_LONG'
  }
}
gr2m commented 2 weeks ago

Can you please try to convert PKCS#1 (the current format that GitHub exports) to PKCS#8 and see if that helps? I documented 3 options to do that here: https://github.com/gr2m/universal-github-app-jwt/?tab=readme-ov-file#converting-pkcs1-to-pkcs8

The PKCS8 key start with -----BEGIN PRIVATE KEY-----. Make sure to leave that line as well as the ending line in when setting it as a repository secret

avsaase commented 2 weeks ago

I needed a quick fix so I switched to another action to generate a token. I haven't tried converting the private key yet but I'll give it a try this week. You are of course welcome to try it yourself.

hmennen90 commented 2 weeks ago

Can you please try to convert PKCS#1 (the current format that GitHub exports) to PKCS#8 and see if that helps? I documented 3 options to do that here: https://github.com/gr2m/universal-github-app-jwt/?tab=readme-ov-file#converting-pkcs1-to-pkcs8

The PKCS8 key start with -----BEGIN PRIVATE KEY-----. Make sure to leave that line as well as the ending line in when setting it as a repository secret

This does not work for me :-(

drmmarsunited commented 1 day ago

The conversion didn't work for me either. Upon initial conversion, it was unhappy with line break characters, trying to strip them results in an invalid keyData error.

drmmarsunited commented 1 day ago

Clarifying my last response now. Using the OpenSSL method of converting the key, it is now being accepted by this action.

However, this feels like a bit of a poor user experience to issue the key(s) one way but have your own vendor provided action expect them in a different format.

parkerbxyz commented 13 hours ago

We have tried to reproduce this error and have not been able to so far. Can somebody experiencing this please invalidate the private key that is not working for you and then provide it to us for closer inspection?