farhoodlabs/skills
8
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: support GITHUB_APP_PEM inline env var in github-app-token skill

Browse Source 
Allow agents to provide the PEM key directly via GITHUB_APP_PEM env var
instead of requiring a file path via GITHUB_APP_PEM_FILE. The inline PEM
is written to a secure temp file (chmod 600) and cleaned up on exit.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Goose
2026-04-16 12:25:32 +00:00
parent 569c77b1a9
commit 97f4cd7d9b
2 changed files with 21 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
github-app-token/SKILL.md
+4 -1
View File
@@ -13,7 +13,10 @@ Generate a short-lived GitHub App installation token and authenticate `gh`.
|---|---|
| `GITHUB_APP_ID` | Numeric App ID from GitHub App settings |
| `GITHUB_APP_INSTALLATION_ID` | Numeric Installation ID for the target org/user |
| `GITHUB_APP_PEM_FILE` | Absolute path to the App's PEM private key file |
| `GITHUB_APP_PEM_FILE` | Absolute path to the App's PEM private key file *(one of `GITHUB_APP_PEM` or `GITHUB_APP_PEM_FILE` required)* |
| `GITHUB_APP_PEM` | Raw PEM private key content as an env var *(one of `GITHUB_APP_PEM` or `GITHUB_APP_PEM_FILE` required)* |
`GITHUB_APP_PEM` takes precedence over `GITHUB_APP_PEM_FILE` when both are set. Using `GITHUB_APP_PEM` avoids the need to write the key to disk ahead of time — it is written to a temp file with `chmod 600` and deleted after token generation.
## Usage
github-app-token/scripts/generate-token.sh
+17 -2
View File
@@ -6,8 +6,23 @@ die() { echo "ERROR: $*" >&2; exit 1; }
# --- Validate required env vars ---
[[ -z "${GITHUB_APP_ID:-}" ]] && die "GITHUB_APP_ID is not set"
[[ -z "${GITHUB_APP_INSTALLATION_ID:-}" ]] && die "GITHUB_APP_INSTALLATION_ID is not set"
[[ -z "${GITHUB_APP_PEM_FILE:-}" ]] && die "GITHUB_APP_PEM_FILE is not set"
[[ ! -f "$GITHUB_APP_PEM_FILE" ]] && die "PEM file not found: $GITHUB_APP_PEM_FILE"
# Resolve PEM key: prefer GITHUB_APP_PEM (inline data), fall back to GITHUB_APP_PEM_FILE
_CLEANUP_PEM_FILE=""
if [[ -n "${GITHUB_APP_PEM:-}" ]]; then
_TMP_PEM=$(mktemp)
_CLEANUP_PEM_FILE="$_TMP_PEM"
printf '%s' "$GITHUB_APP_PEM" > "$_TMP_PEM"
chmod 600 "$_TMP_PEM"
GITHUB_APP_PEM_FILE="$_TMP_PEM"
elif [[ -n "${GITHUB_APP_PEM_FILE:-}" ]]; then
[[ ! -f "$GITHUB_APP_PEM_FILE" ]] && die "PEM file not found: $GITHUB_APP_PEM_FILE"
else
die "Either GITHUB_APP_PEM (inline PEM data) or GITHUB_APP_PEM_FILE (path to PEM file) must be set"
fi
cleanup() { [[ -n "$_CLEANUP_PEM_FILE" ]] && rm -f "$_CLEANUP_PEM_FILE"; }
trap cleanup EXIT
for cmd in openssl curl jq gh; do
command -v "$cmd" >/dev/null 2>&1 || die "Required command not found: $cmd"