gb_flea/skills
1
0
Fork 0
forked from farhoodlabs/skills
Code Pull Requests Activity

Revert "fix(github-app-token): expand unexpanded $VAR in GH_CONFIG_DIR with injection guard"

Browse Source 
This reverts commit f7a65e153c.
This commit is contained in:
Chris Farhood
2026-05-03 18:05:37 -04:00
parent f7a65e153c
commit 4f32fac49b
2 changed files with 16 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
github-app-token/SKILL.md
+1 -2
View File
@@ -15,7 +15,6 @@ Generate a short-lived GitHub App installation token and authenticate `gh`.
| `GITHUB_APP_INSTALLATION_ID` | Numeric Installation ID for the target org/user |
| `GITHUB_APP_PEM_FILE` | Absolute path to the App's PEM private key file *(one of `GITHUB_APP_PEM` or `GITHUB_APP_PEM_FILE` required)* |
| `GITHUB_APP_PEM` | Raw PEM private key content as an env var *(one of `GITHUB_APP_PEM` or `GITHUB_APP_PEM_FILE` required)* |
| `GH_CONFIG_DIR` | Optional. Directory for token and `gh` config. The skill validates the path contains only safe characters (`[a-zA-Z0-9/_.:-]`) before using `eval` to expand any remaining `$VAR` references. If not set, `gh` uses its default config directory. |
`GITHUB_APP_PEM` takes precedence over `GITHUB_APP_PEM_FILE` when both are set. Using `GITHUB_APP_PEM` avoids the need to write the key to disk ahead of time — it is written to a temp file with `chmod 600` and deleted after token generation.
@@ -25,6 +24,6 @@ Generate a short-lived GitHub App installation token and authenticate `gh`.
bash github-app-token/scripts/generate-token.sh
```
The script validates env vars, generates a JWT, exchanges it for an installation token, writes the token to `.gh-token` inside `$GH_CONFIG_DIR` (if set) or gh's default config directory (if not set), and runs `gh auth login`. On success it prints a confirmation line. On failure it exits non-zero with a descriptive error.
The script validates env vars, generates a JWT, exchanges it for an installation token, writes the token to `.gh-token` inside `$GH_CONFIG_DIR` (preferred) or `$AGENT_HOME` (fallback), and runs `gh auth login`. If neither `GH_CONFIG_DIR` nor `AGENT_HOME` is set the script exits non-zero rather than silently writing the token to a default location. On success it prints a confirmation line. On failure it exits non-zero with a descriptive error.
Requires `openssl`, `curl`, `jq`, and `gh`.