#!/usr/bin/env bash set -euo pipefail die() { echo "ERROR: $*" >&2; exit 1; } # --- Validate required env vars --- [[ -z "${GITHUB_APP_ID:-}" ]] && die "GITHUB_APP_ID is not set" [[ -z "${GITHUB_APP_INSTALLATION_ID:-}" ]] && die "GITHUB_APP_INSTALLATION_ID is not set" # Resolve PEM key: prefer GITHUB_APP_PEM (inline data), fall back to GITHUB_APP_PEM_FILE _CLEANUP_PEM_FILE="" if [[ -n "${GITHUB_APP_PEM:-}" ]]; then _TMP_PEM=$(mktemp) _CLEANUP_PEM_FILE="$_TMP_PEM" printf '%s' "$GITHUB_APP_PEM" > "$_TMP_PEM" chmod 600 "$_TMP_PEM" GITHUB_APP_PEM_FILE="$_TMP_PEM" elif [[ -n "${GITHUB_APP_PEM_FILE:-}" ]]; then [[ ! -f "$GITHUB_APP_PEM_FILE" ]] && die "PEM file not found: $GITHUB_APP_PEM_FILE" else die "Either GITHUB_APP_PEM (inline PEM data) or GITHUB_APP_PEM_FILE (path to PEM file) must be set" fi cleanup() { [[ -n "$_CLEANUP_PEM_FILE" ]] && rm -f "$_CLEANUP_PEM_FILE"; } trap cleanup EXIT for cmd in openssl curl jq gh; do command -v "$cmd" >/dev/null 2>&1 || die "Required command not found: $cmd" done # --- Build JWT (valid 10 minutes) --- b64url() { openssl enc -base64 -A | tr '+/' '-_' | tr -d '='; } NOW=$(date +%s) HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | b64url) PAYLOAD=$(printf '{"iat":%s,"exp":%s,"iss":"%s"}' "$NOW" "$((NOW + 600))" "$GITHUB_APP_ID" | b64url) SIGNED="${HEADER}.${PAYLOAD}" SIG=$(printf '%s' "$SIGNED" | openssl dgst -binary -sha256 -sign "$GITHUB_APP_PEM_FILE" | b64url) JWT="${SIGNED}.${SIG}" # --- Exchange JWT for installation access token --- RESPONSE=$(curl -sf -X POST \ -H "Authorization: Bearer ${JWT}" \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ "https://api.github.com/app/installations/${GITHUB_APP_INSTALLATION_ID}/access_tokens") \ || die "GitHub API request failed — check App ID, Installation ID, and PEM key" TOKEN=$(echo "$RESPONSE" | jq -r '.token // empty') [[ -z "$TOKEN" ]] && die "No token in GitHub response: $RESPONSE" # --- Write token to file --- GH_TOKEN_FILE="${AGENT_HOME:+${AGENT_HOME}/.gh-token}" GH_TOKEN_FILE="${GH_TOKEN_FILE:-$(mktemp)}" printf '%s' "$TOKEN" > "$GH_TOKEN_FILE" chmod 600 "$GH_TOKEN_FILE" # --- Authenticate gh CLI --- gh auth login --with-token < "$GH_TOKEN_FILE" echo "Authenticated. Token written to $GH_TOKEN_FILE (expires in 1 hour)."