Replaces `export GH_TOKEN` with a file-based approach using
`$AGENT_HOME/.gh-token`. Each agent writes its token to its own
file path, avoiding env-var collisions when multiple agents
generate tokens concurrently.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Keep SKILL.md with inline token generation commands and env var
docs. Delete the bundled generate_token.sh script — no backward
compatibility shims.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Script paths used `./github-app-token/scripts/...` which assumed the
working directory was the repo root. When the skill is synced to
consuming agents, the runtime base directory is already inside the
skill folder, so the correct path is `./scripts/...`.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Agents report "not executable" errors when the skill files are
delivered without the executable bit preserved. Using `bash ./...`
instead of `./...` in all examples avoids this regardless of
file permissions in the consuming environment.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add --raw flag that prints only the token value (no export wrapper),
making GH_TOKEN=$(./generate_token.sh --raw) the recommended pattern
for AI agents and CI/CD.
- Clean up die() to only write to stderr (remove eval-safe stdout hack).
- Fix SKILL.md: correct step numbering, remove unused grep prerequisite,
replace placeholder paths, lead with --raw usage, move eval to legacy.
- Update CLAUDE.md to reflect new --raw pattern.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
SKILL.md instructions now clarify that GH_TOKEN must be used in the
same shell invocation as the eval, with chained command examples.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replaced my bash implementation with the user's provided snippet.
Key differences that fix the bad credentials issue on macOS:
1. Uses openssl enc -base64 -A instead of openssl base64
2. Uses jq -r -c . to strictly format the JSON header/payload
3. Explicitly wraps the RSA signature binary in b64enc.
Replaced generate_jwt.py with generate_jwt.sh using only openssl and
coreutils. Updated SKILL.md to remove the python fallback section and
use grep/cut for JSON parsing instead of python3.
The previous implementation had a stdin conflict -- it passed the PEM
key on stdin but also needed to pass the unsigned data on stdin. Now
that we take a file path, openssl reads the key from the file and gets
the data to sign from stdin.
Also removed the dead-code tempfile fallback and unused hashlib import.
Goose
Chris Farhood