farhoodlabs/skills
8
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f7a65e153cc060daececcedb6477d7db9d3ceb2a
skills/github-app-token/SKILL.md
T
Chris Farhood f7a65e153c fix(github-app-token): expand unexpanded $VAR in GH_CONFIG_DIR with injection guard 
When GH_CONFIG_DIR is passed as a literal string like '$AGENT_HOME/.github'
(unexpanded by the caller), the script now detects this, validates the path
contains only safe characters, then uses eval to expand it to the real path.

Also removes the AGENT_HOME fallback — when GH_CONFIG_DIR is not set, the
script now lets gh use its default config directory (~/.config/gh) directly,
rather than failing or writing to a non-standard location.
2026-05-03 17:34:30 -04:00

1.7 KiB
Raw Blame History

name, description
name description
github-app-token Generate a GitHub installation access token from a GitHub App PEM key, App ID, and Installation ID, write it to a per-agent file, then authenticate the gh CLI with it.

GitHub App Token Skill

Generate a short-lived GitHub App installation token and authenticate gh.

Required Environment Variables

Variable Description
GITHUB_APP_ID Numeric App ID from GitHub App settings
GITHUB_APP_INSTALLATION_ID Numeric Installation ID for the target org/user
GITHUB_APP_PEM_FILE Absolute path to the App's PEM private key file (one of GITHUB_APP_PEM or GITHUB_APP_PEM_FILE required)
GITHUB_APP_PEM Raw PEM private key content as an env var (one of GITHUB_APP_PEM or GITHUB_APP_PEM_FILE required)
GH_CONFIG_DIR Optional. Directory for token and gh config. The skill validates the path contains only safe characters ([a-zA-Z0-9/_.:-]) before using eval to expand any remaining $VAR references. If not set, gh uses its default config directory.

GITHUB_APP_PEM takes precedence over GITHUB_APP_PEM_FILE when both are set. Using GITHUB_APP_PEM avoids the need to write the key to disk ahead of time — it is written to a temp file with chmod 600 and deleted after token generation.

Usage

bash github-app-token/scripts/generate-token.sh

The script validates env vars, generates a JWT, exchanges it for an installation token, writes the token to .gh-token inside $GH_CONFIG_DIR (if set) or gh's default config directory (if not set), and runs gh auth login. On success it prints a confirmation line. On failure it exits non-zero with a descriptive error.

Requires openssl, curl, jq, and gh.

Reference in New Issue View Git Blame Copy Permalink