Chris Farhood
dedb35953b
Replaced generate_jwt.py with generate_jwt.sh using only openssl and coreutils. Updated SKILL.md to remove the python fallback section and use grep/cut for JSON parsing instead of python3.
42 lines
1.1 KiB
Bash
Executable File
42 lines
1.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Generate a JWT for GitHub App authentication.
|
|
#
|
|
# Required environment variables:
|
|
# GITHUB_APP_ID - The GitHub App's numeric ID
|
|
# GITHUB_APP_PEM_FILE - Path to the PEM-encoded private key file
|
|
#
|
|
# Prints the signed JWT to stdout.
|
|
|
|
set -euo pipefail
|
|
|
|
if [[ -z "${GITHUB_APP_ID:-}" ]]; then
|
|
echo "error: GITHUB_APP_ID is not set" >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -z "${GITHUB_APP_PEM_FILE:-}" ]]; then
|
|
echo "error: GITHUB_APP_PEM_FILE is not set" >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [[ ! -f "${GITHUB_APP_PEM_FILE}" ]]; then
|
|
echo "error: PEM file not found: ${GITHUB_APP_PEM_FILE}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
## Build JWT
|
|
|
|
header=$(printf '{"alg":"RS256","typ":"JWT"}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
|
|
|
|
now=$(date +%s)
|
|
iat=$((now - 60))
|
|
exp=$((now + 600))
|
|
|
|
payload=$(printf '{"iat":%d,"exp":%d,"iss":"%s"}' "$iat" "$exp" "$GITHUB_APP_ID" | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
|
|
|
|
unsigned="${header}.${payload}"
|
|
|
|
signature=$(printf '%s' "$unsigned" | openssl dgst -sha256 -sign "${GITHUB_APP_PEM_FILE}" -binary | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
|
|
|
|
echo "${unsigned}.${signature}"
|