GITHUB_TOKEN generated from GitHub App Jwt could not be used.

[guitarrapc]

Hi, thanks for making this!

Concept is clear and it work very well on my private account.

Summary

Is there any plan to allow using GitHub App's generated token for GITHUB_TOKEN?

Description

I've tried to use Organization's GitHub App to generate GitHub Token, which is non-user related token and organization easily control app's permission and integration. However I met following error when trying to use this token.

Resource not accessible by integration

Reproduce

• Generate GitHub App on Org, set permission Secrets and Actions read-write, then install it.
• Generate Private Key YOUR_GITHUB_APP.YYYY-MM-DD.private-key.pem for the GitHub App and download it.
• Get ClientId and InstallationId.
• Run following to generate GitHub App's Token and show on console.

let jwt = require("jsonwebtoken")
let fs = require("fs")
let axios = require("axios")

let payload = {
    exp: Math.floor(Date.now() / 1000) + 600,  // JWT expiration time max 10min
    iat: Math.floor(Date.now() / 1000) - 10,  // Issued at time 
    iss: "<CLIENT_ID>"
}
let cert = fs.readFileSync("YOUR_GITHUB_APP.2020-04-26.private-key.pem").toString()
let jwtToken = jwt.sign(payload, cert, { algorithm: 'RS256' });
console.log(jwtToken);

axios.default.post("https://api.github.com/installations/<INSTALLATION_ID>/access_tokens", null, {
    headers: {
        Authorization: "Bearer " + jwtToken,
        Accept: "application/vnd.github.machine-man-preview+json"
    }
})
.then(res => console.log(res.data.token)) // this is the GitHub App's Token
.catch(console.log)

• Set GitHub Token to secrets as GITHUB_APP_TOKEN and try run secrets-sync-action.

name: Sync
on:
  push:
    branches:
      - master

jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
      - uses: google/secrets-sync-action@v1.1.3
        with:
          SECRETS: |
            ^SYNC_
          REPOSITORIES: |
            ^FOO
          GITHUB_TOKEN: ${{ env.GITHUB_APP_TOKEN }}
          DRY_RUN: true
        env:
          SYNC_TEST: ${{ secrets.TEST }}

You may got following error.

Run google/secrets-sync-action@v1.1.3

##[error]HttpError: Resource not accessible by integration
##[error]Resource not accessible by integration

Reason

This seems due to await octokit.repos.listForAuthenticatedUser API using at github.ts

It is useful API and works great for User Token.

https://octokit.github.io/rest.js/v17#repos-list-for-authenticated-user

However Github App's integrated token is not supporting this API.

https://developer.github.com/v3/apps/available-endpoints/#repositories

[jpoehnelt]

Thanks for reporting this issue.

Is there any plan to allow using GitHub App's generated token for GITHUB_TOKEN?

This seems due to await octokit.repos.listForAuthenticatedUser API using at github.ts

Seems the only way around this would be to allow a hardcoded repository pattern to avoid the listForAuthenticatedUser API.

Perhaps a flag like REPOSITORIES_LIST_REGEX=false to switch this behavior?

[guitarrapc]

Yes, that's what I exactly imagine!

[jpoehnelt]

Mind giving it a try with #10 and https://github.com/google/secrets-sync-action/commit/bb42f32e9f74a3503c6da804e445d5e0707e68be?

[guitarrapc]

@jpoehnelt, Thanks, I've tested as Repository Private Actions and confirm work great!

Looks like #10 index.js is old . I've npm run build and npm run pack then changes come.

      - uses: ./.github/actions/secrets-sync-action
        with:
          SECRETS: |
            ^SYNC_
          REPOSITORIES: |
            MyCompany/ServiceA
            MyCompany/Foo
            MyCompany/Bar
          GITHUB_TOKEN: ${{ env.GITHUBTOKEN_REPO }}
          REPOSITORIES_LIST_REGEX: "false"
          DRY_RUN: "false"
        env:
          SYNC_A: "A"
          SYNC_B: "B"
          SYNC_C: "C"

[jpoehnelt]

Pushed up the new index.js(normally part of master build process to keep up to date).

See: 8d158da

[guitarrapc]

awesome.

[github-actions[bot]]

:tada: This issue has been resolved in version 1.2.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: