refactor: replace github-app-token docs with executable script
Move token generation logic from inline SKILL.md code blocks into a single scripts/generate-token.sh that agents can invoke directly. Adds env var validation, error handling, and gh CLI auth in one step. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Goose
Executable
+47
@@ -0,0 +1,47 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
die() { echo "ERROR: $*" >&2; exit 1; }
|
||||
|
||||
# --- Validate required env vars ---
|
||||
[[ -z "${GITHUB_APP_ID:-}" ]] && die "GITHUB_APP_ID is not set"
|
||||
[[ -z "${GITHUB_APP_INSTALLATION_ID:-}" ]] && die "GITHUB_APP_INSTALLATION_ID is not set"
|
||||
[[ -z "${GITHUB_APP_PEM_FILE:-}" ]] && die "GITHUB_APP_PEM_FILE is not set"
|
||||
[[ ! -f "$GITHUB_APP_PEM_FILE" ]] && die "PEM file not found: $GITHUB_APP_PEM_FILE"
|
||||
|
||||
for cmd in openssl curl jq gh; do
|
||||
command -v "$cmd" >/dev/null 2>&1 || die "Required command not found: $cmd"
|
||||
done
|
||||
|
||||
# --- Build JWT (valid 10 minutes) ---
|
||||
b64url() { openssl enc -base64 -A | tr '+/' '-_' | tr -d '='; }
|
||||
|
||||
NOW=$(date +%s)
|
||||
HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | b64url)
|
||||
PAYLOAD=$(printf '{"iat":%s,"exp":%s,"iss":"%s"}' "$NOW" "$((NOW + 600))" "$GITHUB_APP_ID" | b64url)
|
||||
SIGNED="${HEADER}.${PAYLOAD}"
|
||||
SIG=$(printf '%s' "$SIGNED" | openssl dgst -binary -sha256 -sign "$GITHUB_APP_PEM_FILE" | b64url)
|
||||
JWT="${SIGNED}.${SIG}"
|
||||
|
||||
# --- Exchange JWT for installation access token ---
|
||||
RESPONSE=$(curl -sf -X POST \
|
||||
-H "Authorization: Bearer ${JWT}" \
|
||||
-H "Accept: application/vnd.github+json" \
|
||||
-H "X-GitHub-Api-Version: 2022-11-28" \
|
||||
"https://api.github.com/app/installations/${GITHUB_APP_INSTALLATION_ID}/access_tokens") \
|
||||
|| die "GitHub API request failed — check App ID, Installation ID, and PEM key"
|
||||
|
||||
TOKEN=$(echo "$RESPONSE" | jq -r '.token // empty')
|
||||
[[ -z "$TOKEN" ]] && die "No token in GitHub response: $RESPONSE"
|
||||
|
||||
# --- Write token to file ---
|
||||
GH_TOKEN_FILE="${AGENT_HOME:+${AGENT_HOME}/.gh-token}"
|
||||
GH_TOKEN_FILE="${GH_TOKEN_FILE:-$(mktemp)}"
|
||||
|
||||
printf '%s' "$TOKEN" > "$GH_TOKEN_FILE"
|
||||
chmod 600 "$GH_TOKEN_FILE"
|
||||
|
||||
# --- Authenticate gh CLI ---
|
||||
gh auth login --with-token < "$GH_TOKEN_FILE"
|
||||
|
||||
echo "Authenticated. Token written to $GH_TOKEN_FILE (expires in 1 hour)."
|
||||
Reference in New Issue
Block a user