-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathgh_token_refresh.sh
More file actions
executable file
·172 lines (134 loc) · 4.13 KB
/
Copy pathgh_token_refresh.sh
File metadata and controls
executable file
·172 lines (134 loc) · 4.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
#!/usr/bin/env bash
set -euo pipefail
GITHUB_APP_ID="$APP_ID"
GITHUB_APP_PRIVATE_KEY="$PRIVATE_KEY"
GITHUB_INSTALLATION_ID="$INSTALLATION_ID"
GITHUB_API_URL="${GITHUB_API_URL:-https://api.github.com}"
if [[ -z "${GITHUB_APP_ID:-}" ]]; then
echo "ERROR: GITHUB_APP_ID is not set" >&2
exit 1
fi
if [[ -z "${GITHUB_APP_PRIVATE_KEY:-}" ]]; then
echo "ERROR: GITHUB_APP_PRIVATE_KEY is not set" >&2
exit 1
fi
if ! echo "${GITHUB_APP_PRIVATE_KEY}" | grep -q "BEGIN.*PRIVATE KEY"; then
echo "ERROR: GITHUB_APP_PRIVATE_KEY is not in PEM format" >&2
exit 1
fi
base64url_encode() {
openssl base64 -A | tr '+/' '-_' | tr -d '='
}
json_get() {
local key="$1"
local json="$2"
echo "${json}" | grep -o "\"${key}\"[[:space:]]*:[[:space:]]*[^,}]*" \
| sed 's/.*:[[:space:]]*//' \
| tr -d '"' \
| tr -d ' '
}
generate_jwt() {
local app_id="$1"
local private_key="$2"
local header
header=$(printf '{"alg":"RS256","typ":"JWT"}' | base64url_encode)
local now
now=$(date +%s)
local iat=$(( now - 60 ))
local exp=$(( iat + 600 ))
local payload
payload=$(printf '{"iat":%d,"exp":%d,"iss":"%s"}' "${iat}" "${exp}" "${app_id}" \
| base64url_encode)
local signing_input="${header}.${payload}"
local tmp_key
tmp_key=$(mktemp)
trap "rm -f '${tmp_key}'" EXIT
echo "${private_key}" > "${tmp_key}"
chmod 600 "${tmp_key}"
local signature
signature=$(printf '%s' "${signing_input}" \
| openssl dgst -sha256 -sign "${tmp_key}" \
| base64url_encode)
rm -f "${tmp_key}"
trap - EXIT
echo "${signing_input}.${signature}"
}
get_installation_id() {
local jwt="$1"
local response
response=$(curl -sf \
-H "Authorization: Bearer ${jwt}" \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"${GITHUB_API_URL}/app/installations")
if [[ -z "${response}" ]]; then
echo "ERROR: Failed to get installation list" >&2
exit 1
fi
local installation_id
installation_id=$(echo "${response}" \
| grep -o '"id":[[:space:]]*[0-9]*' \
| head -1 \
| grep -o '[0-9]*')
if [[ -z "${installation_id}" ]]; then
echo "ERROR: Installation ID not found. Check if the app is installed somewhere" >&2
exit 1
fi
echo "${installation_id}"
}
get_installation_token() {
local jwt="$1"
local installation_id="$2"
local response
response=$(curl -sf \
-X POST \
-H "Authorization: Bearer ${jwt}" \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"${GITHUB_API_URL}/app/installations/${installation_id}/access_tokens")
if [[ -z "${response}" ]]; then
echo "ERROR: Failed to get Installation Access Token (installation_id=${installation_id})" >&2
exit 1
fi
local token
token=$(json_get "token" "${response}")
if [[ -z "${token}" ]]; then
echo "ERROR: Could not get token from response: ${response}" >&2
exit 1
fi
local expires_at
expires_at=$(json_get "expires_at" "${response}")
echo "token=${token}"
echo "expires_at=${expires_at}"
}
main() {
echo "==> Generating JWT..." >&2
local jwt
jwt=$(generate_jwt "${GITHUB_APP_ID}" "${GITHUB_APP_PRIVATE_KEY}")
local installation_id
if [[ -n "${GITHUB_INSTALLATION_ID:-}" ]]; then
installation_id="${GITHUB_INSTALLATION_ID}"
echo "==> Installation ID (from env): ${installation_id}" >&2
else
echo "==> Installation ID (API)" >&2
installation_id=$(get_installation_id "${jwt}")
echo "==> Installation ID: ${installation_id}" >&2
fi
echo "==> Fetching Installation Access Token" >&2
local result
result=$(get_installation_token "${jwt}" "${installation_id}")
local token expires_at
token=$(echo "${result}" | grep '^token=' | cut -d= -f2-)
expires_at=$(echo "${result}" | grep '^expires_at=' | cut -d= -f2-)
echo "" >&2
echo "========================================" >&2
echo " GitHub App Installation Access Token" >&2
echo "========================================" >&2
# echo "TOKEN : ${token}" >&2
echo "TOKEN : (success)" >&2
echo "EXPIRES_AT : ${expires_at}" >&2
echo "========================================" >&2
echo "" >&2
echo "${token}"
}
main "$@"