From 97f4cd7d9ba8f740b352e65edc6896e4efa0f694 Mon Sep 17 00:00:00 2001
From: Goose <goose@paperclip.ing>
Date: Thu, 16 Apr 2026 12:25:32 +0000
Subject: [PATCH] feat: support GITHUB_APP_PEM inline env var in
 github-app-token skill

Allow agents to provide the PEM key directly via GITHUB_APP_PEM env var
instead of requiring a file path via GITHUB_APP_PEM_FILE. The inline PEM
is written to a secure temp file (chmod 600) and cleaned up on exit.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 github-app-token/SKILL.md                  |  5 ++++-
 github-app-token/scripts/generate-token.sh | 19 +++++++++++++++++--
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/github-app-token/SKILL.md b/github-app-token/SKILL.md
index 52d4528..553f726 100644
--- a/github-app-token/SKILL.md
+++ b/github-app-token/SKILL.md
@@ -13,7 +13,10 @@ Generate a short-lived GitHub App installation token and authenticate `gh`.
 |---|---|
 | `GITHUB_APP_ID` | Numeric App ID from GitHub App settings |
 | `GITHUB_APP_INSTALLATION_ID` | Numeric Installation ID for the target org/user |
-| `GITHUB_APP_PEM_FILE` | Absolute path to the App's PEM private key file |
+| `GITHUB_APP_PEM_FILE` | Absolute path to the App's PEM private key file *(one of `GITHUB_APP_PEM` or `GITHUB_APP_PEM_FILE` required)* |
+| `GITHUB_APP_PEM` | Raw PEM private key content as an env var *(one of `GITHUB_APP_PEM` or `GITHUB_APP_PEM_FILE` required)* |
+
+`GITHUB_APP_PEM` takes precedence over `GITHUB_APP_PEM_FILE` when both are set. Using `GITHUB_APP_PEM` avoids the need to write the key to disk ahead of time — it is written to a temp file with `chmod 600` and deleted after token generation.
 
 ## Usage
 
diff --git a/github-app-token/scripts/generate-token.sh b/github-app-token/scripts/generate-token.sh
index 0b30761..d039c09 100755
--- a/github-app-token/scripts/generate-token.sh
+++ b/github-app-token/scripts/generate-token.sh
@@ -6,8 +6,23 @@ die() { echo "ERROR: $*" >&2; exit 1; }
 # --- Validate required env vars ---
 [[ -z "${GITHUB_APP_ID:-}" ]]              && die "GITHUB_APP_ID is not set"
 [[ -z "${GITHUB_APP_INSTALLATION_ID:-}" ]] && die "GITHUB_APP_INSTALLATION_ID is not set"
-[[ -z "${GITHUB_APP_PEM_FILE:-}" ]]        && die "GITHUB_APP_PEM_FILE is not set"
-[[ ! -f "$GITHUB_APP_PEM_FILE" ]]          && die "PEM file not found: $GITHUB_APP_PEM_FILE"
+
+# Resolve PEM key: prefer GITHUB_APP_PEM (inline data), fall back to GITHUB_APP_PEM_FILE
+_CLEANUP_PEM_FILE=""
+if [[ -n "${GITHUB_APP_PEM:-}" ]]; then
+  _TMP_PEM=$(mktemp)
+  _CLEANUP_PEM_FILE="$_TMP_PEM"
+  printf '%s' "$GITHUB_APP_PEM" > "$_TMP_PEM"
+  chmod 600 "$_TMP_PEM"
+  GITHUB_APP_PEM_FILE="$_TMP_PEM"
+elif [[ -n "${GITHUB_APP_PEM_FILE:-}" ]]; then
+  [[ ! -f "$GITHUB_APP_PEM_FILE" ]] && die "PEM file not found: $GITHUB_APP_PEM_FILE"
+else
+  die "Either GITHUB_APP_PEM (inline PEM data) or GITHUB_APP_PEM_FILE (path to PEM file) must be set"
+fi
+
+cleanup() { [[ -n "$_CLEANUP_PEM_FILE" ]] && rm -f "$_CLEANUP_PEM_FILE"; }
+trap cleanup EXIT
 
 for cmd in openssl curl jq gh; do
   command -v "$cmd" >/dev/null 2>&1 || die "Required command not found: $cmd"