farhoodlabs/skills
8
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8efb3313344fd63cc5f5a43f6832bf4e75d5c273
skills/github-app-token/scripts/generate-token.sh
T
Goose 8efb331334 refactor: apply FAR-95 skills review follow-ups 
- Remove `playwright-ephemeral/` and `shannon/` entirely per board direction
- Fix `minimax-image-generation/SKILL.md` so YAML frontmatter is at line 1
- Add `minimax-image-generation/scripts/generate.sh` (argparse, error-checked, executable) and document invoking it via `bash scripts/generate.sh ...`
- Deduplicate `minimax-image-generation/CLAUDE.md` against SKILL.md
- `github-app-token`: write token to `$GH_CONFIG_DIR/.gh-token` (preferred) or `$AGENT_HOME/.gh-token` (fallback), fail loudly if neither is set instead of leaking to `mktemp`
- Refresh root `CLAUDE.md` to match actual directory contents and patterns
- Add root `README.md` with human-facing skills index

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-17 01:34:22 +00:00

74 lines
2.7 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
die() { echo "ERROR: $*" >&2; exit 1; }
# --- Validate required env vars ---
[[ -z "${GITHUB_APP_ID:-}" ]] && die "GITHUB_APP_ID is not set"
[[ -z "${GITHUB_APP_INSTALLATION_ID:-}" ]] && die "GITHUB_APP_INSTALLATION_ID is not set"
# Resolve PEM key: prefer GITHUB_APP_PEM (inline data), fall back to GITHUB_APP_PEM_FILE
_CLEANUP_PEM_FILE=""
if [[ -n "${GITHUB_APP_PEM:-}" ]]; then
_TMP_PEM=$(mktemp)
_CLEANUP_PEM_FILE="$_TMP_PEM"
printf '%s' "$GITHUB_APP_PEM" > "$_TMP_PEM"
chmod 600 "$_TMP_PEM"
GITHUB_APP_PEM_FILE="$_TMP_PEM"
elif [[ -n "${GITHUB_APP_PEM_FILE:-}" ]]; then
[[ ! -f "$GITHUB_APP_PEM_FILE" ]] && die "PEM file not found: $GITHUB_APP_PEM_FILE"
else
die "Either GITHUB_APP_PEM (inline PEM data) or GITHUB_APP_PEM_FILE (path to PEM file) must be set"
fi
cleanup() { [[ -n "$_CLEANUP_PEM_FILE" ]] && rm -f "$_CLEANUP_PEM_FILE"; }
trap cleanup EXIT
for cmd in openssl curl jq gh; do
command -v "$cmd" >/dev/null 2>&1 || die "Required command not found: $cmd"
done
# --- Build JWT (valid 10 minutes) ---
b64url() { openssl enc -base64 -A | tr '+/' '-_' | tr -d '='; }
NOW=$(date +%s)
HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | b64url)
PAYLOAD=$(printf '{"iat":%s,"exp":%s,"iss":"%s"}' "$NOW" "$((NOW + 600))" "$GITHUB_APP_ID" | b64url)
SIGNED="${HEADER}.${PAYLOAD}"
SIG=$(printf '%s' "$SIGNED" | openssl dgst -binary -sha256 -sign "$GITHUB_APP_PEM_FILE" | b64url)
JWT="${SIGNED}.${SIG}"
# --- Exchange JWT for installation access token ---
RESPONSE=$(curl -sf -X POST \
-H "Authorization: Bearer ${JWT}" \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/app/installations/${GITHUB_APP_INSTALLATION_ID}/access_tokens") \
|| die "GitHub API request failed — check App ID, Installation ID, and PEM key"
TOKEN=$(echo "$RESPONSE" | jq -r '.token // empty')
[[ -z "$TOKEN" ]] && die "No token in GitHub response: $RESPONSE"
# --- Resolve token file location ---
# Prefer GH_CONFIG_DIR (so the token lives alongside the per-agent gh config),
# fall back to AGENT_HOME, fail loudly if neither is set rather than silently
# writing to /tmp and leaking the token.
if [[ -n "${GH_CONFIG_DIR:-}" ]]; then
GH_TOKEN_DIR="$GH_CONFIG_DIR"
elif [[ -n "${AGENT_HOME:-}" ]]; then
GH_TOKEN_DIR="$AGENT_HOME"
else
die "Neither GH_CONFIG_DIR nor AGENT_HOME is set — refusing to write the token to a default location"
fi
mkdir -p "$GH_TOKEN_DIR"
GH_TOKEN_FILE="$GH_TOKEN_DIR/.gh-token"
printf '%s' "$TOKEN" > "$GH_TOKEN_FILE"
chmod 600 "$GH_TOKEN_FILE"
# --- Authenticate gh CLI ---
gh auth login --with-token < "$GH_TOKEN_FILE"
echo "Authenticated. Token written to $GH_TOKEN_FILE (expires in 1 hour)."
Reference in New Issue View Git Blame Copy Permalink