farhoodlabs/skills
8
0
Fork 1
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
f7a65e153cc060daececcedb6477d7db9d3ceb2a
skills/github-app-token/SKILL.md
T
Chris Farhood f7a65e153c fix(github-app-token): expand unexpanded $VAR in GH_CONFIG_DIR with injection guard 
When GH_CONFIG_DIR is passed as a literal string like '$AGENT_HOME/.github'
(unexpanded by the caller), the script now detects this, validates the path
contains only safe characters, then uses eval to expand it to the real path.

Also removes the AGENT_HOME fallback — when GH_CONFIG_DIR is not set, the
script now lets gh use its default config directory (~/.config/gh) directly,
rather than failing or writing to a non-standard location.
2026-05-03 17:34:30 -04:00

31 lines
1.7 KiB
Markdown
Raw Blame History

---
name: github-app-token
description: Generate a GitHub installation access token from a GitHub App PEM key, App ID, and Installation ID, write it to a per-agent file, then authenticate the gh CLI with it.
---
# GitHub App Token Skill
Generate a short-lived GitHub App installation token and authenticate `gh`.
## Required Environment Variables
| Variable | Description |
|---|---|
| `GITHUB_APP_ID` | Numeric App ID from GitHub App settings |
| `GITHUB_APP_INSTALLATION_ID` | Numeric Installation ID for the target org/user |
| `GITHUB_APP_PEM_FILE` | Absolute path to the App's PEM private key file *(one of `GITHUB_APP_PEM` or `GITHUB_APP_PEM_FILE` required)* |
| `GITHUB_APP_PEM` | Raw PEM private key content as an env var *(one of `GITHUB_APP_PEM` or `GITHUB_APP_PEM_FILE` required)* |
| `GH_CONFIG_DIR` | Optional. Directory for token and `gh` config. The skill validates the path contains only safe characters (`[a-zA-Z0-9/_.:-]`) before using `eval` to expand any remaining `$VAR` references. If not set, `gh` uses its default config directory. |
`GITHUB_APP_PEM` takes precedence over `GITHUB_APP_PEM_FILE` when both are set. Using `GITHUB_APP_PEM` avoids the need to write the key to disk ahead of time — it is written to a temp file with `chmod 600` and deleted after token generation.
## Usage
```bash
bash github-app-token/scripts/generate-token.sh
```
The script validates env vars, generates a JWT, exchanges it for an installation token, writes the token to `.gh-token` inside `$GH_CONFIG_DIR` (if set) or gh's default config directory (if not set), and runs `gh auth login`. On success it prints a confirmation line. On failure it exits non-zero with a descriptive error.
Requires `openssl`, `curl`, `jq`, and `gh`.
Reference in New Issue View Git Blame Copy Permalink