farhoodlabs/skills
8
0
Fork 1
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
964cc0de002103e97c35fe92059b17712b3ff5de
skills/github-app-token/SKILL.md
T
Chris Farhood 964cc0de00 fix: use user-provided JWT generation logic 
Replaced my bash implementation with the user's provided snippet.
Key differences that fix the bad credentials issue on macOS:
1. Uses openssl enc -base64 -A instead of openssl base64
2. Uses jq -r -c . to strictly format the JSON header/payload
3. Explicitly wraps the RSA signature binary in b64enc.
2026-03-25 22:19:02 -04:00

2.7 KiB
Raw Blame History

name, description
name description
github-app-token Generate a GitHub installation access token from a GitHub App PEM key, App ID, and Installation ID, then authenticate the gh CLI with it.

GitHub App Token Skill

Generate a short-lived GitHub installation access token from a GitHub App's credentials and use it to authenticate the gh CLI.

Prerequisites

The following environment variables MUST be set before invoking this skill:

Variable Description
GITHUB_APP_ID The numeric App ID from the GitHub App settings page
GITHUB_APP_INSTALLATION_ID The numeric Installation ID for the target org/user
GITHUB_APP_PEM_FILE Absolute path to the GitHub App's PEM private key file

If any variable is missing, stop and tell the user which ones are required.

Requires openssl, curl, grep, and jq (standard on modern environments).

Steps

1. Generate a JWT

Run the helper script bundled with this skill:

TOKEN=$(bash /path/to/skills/github-app-token/scripts/generate_jwt.sh)

The JWT uses:

  • Algorithm: RS256
  • Header: {"alg": "RS256", "typ": "JWT"}
  • Payload:
    • iat: current time minus 60 seconds (clock drift buffer)
    • exp: current time plus 600 seconds (10 minute max)
    • iss: the GITHUB_APP_ID

2. Exchange the JWT for an installation access token

RESPONSE=$(curl -s -X POST \
  -H "Authorization: Bearer ${TOKEN}" \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  "https://api.github.com/app/installations/${GITHUB_APP_INSTALLATION_ID}/access_tokens")

INSTALL_TOKEN=$(echo "$RESPONSE" | grep -o '"token":"[^"]*"' | head -1 | cut -d'"' -f4)

If the response contains an error (e.g., 401 Unauthorized), check:

  1. The PEM key matches the App ID
  2. The Installation ID is valid for this App
  3. The system clock is accurate (JWT iat/exp are time-sensitive)

3. Authenticate the gh CLI

echo "${INSTALL_TOKEN}" | gh auth login --with-token

Verify it worked:

gh auth status

You should see authentication via token for github.com.

4. Cleanup

The installation access token expires after 1 hour. There is nothing to revoke unless you want to explicitly invalidate it early:

curl -s -X DELETE \
  -H "Authorization: Bearer ${INSTALL_TOKEN}" \
  -H "Accept: application/vnd.github+json" \
  "https://api.github.com/installation/token"

Security Notes

  • Never log or echo the PEM key, JWT, or installation token to stdout in production.
  • The JWT is valid for at most 10 minutes. The installation token is valid for 1 hour.
  • Store the PEM file with restrictive permissions (chmod 600) and never check it into git.
Reference in New Issue View Git Blame Copy Permalink