forked from farhoodlabs/skills
feat: Generate GitHub App installation access tokens directly via a new script and update documentation.
This commit is contained in:
+17
-29
@@ -23,44 +23,32 @@ Requires `openssl`, `curl`, `grep`, and `jq` (standard on modern environments).
|
|||||||
|
|
||||||
## Steps
|
## Steps
|
||||||
|
|
||||||
### 1. Generate a JWT
|
### 1. Generate and Export Token
|
||||||
|
|
||||||
Run the helper script bundled with this skill:
|
Run the helper script and `eval` its output. This securely exports the short-lived GitHub installation access token as `GH_TOKEN` into your current process environment:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
TOKEN=$(bash /path/to/skills/github-app-token/scripts/generate_jwt.sh)
|
eval "$(/path/to/skills/github-app-token/scripts/generate_token.sh)"
|
||||||
```
|
```
|
||||||
|
|
||||||
The JWT uses:
|
> [!NOTE]
|
||||||
- **Algorithm**: RS256
|
> Because this uses `eval`, the token is scoped only to the current terminal session, process, or script that executes it. For a CI/CD environment (like GitHub Actions), you can extract the token to pass it between steps like so:
|
||||||
- **Header**: `{"alg": "RS256", "typ": "JWT"}`
|
> `echo "GH_TOKEN=$(/path/to/skills/github-app-token/scripts/generate_token.sh | cut -d'"' -f2)" >> $GITHUB_ENV`
|
||||||
- **Payload**:
|
|
||||||
- `iat`: current time minus 60 seconds (clock drift buffer)
|
|
||||||
- `exp`: current time plus 600 seconds (10 minute max)
|
|
||||||
- `iss`: the `GITHUB_APP_ID`
|
|
||||||
|
|
||||||
### 2. Exchange the JWT for an installation access token
|
The script will:
|
||||||
|
1. Generate a short-lived JWT using your App ID and PEM key
|
||||||
|
2. Exchange the JWT to get a GitHub Installation Access Token
|
||||||
|
3. Output the `export GH_TOKEN=...` command to set it in your environment.
|
||||||
|
### 2. Authenticate the gh CLI
|
||||||
|
|
||||||
|
With `GH_TOKEN` set, the `gh` CLI operates securely and without needing a separate authentication login for most API operations. Note that `gh auth status` may not reflect the token since it checks local config, but `gh` will respect the `GH_TOKEN` environment variable!
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
RESPONSE=$(curl -s -X POST \
|
# Check that gh is working
|
||||||
-H "Authorization: Bearer ${TOKEN}" \
|
gh api user
|
||||||
-H "Accept: application/vnd.github+json" \
|
|
||||||
-H "X-GitHub-Api-Version: 2022-11-28" \
|
|
||||||
"https://api.github.com/app/installations/${GITHUB_APP_INSTALLATION_ID}/access_tokens")
|
|
||||||
|
|
||||||
INSTALL_TOKEN=$(echo "$RESPONSE" | grep -o '"token":"[^"]*"' | head -1 | cut -d'"' -f4)
|
|
||||||
```
|
```
|
||||||
|
|
||||||
If the response contains an error (e.g., `401 Unauthorized`), check:
|
*(Alternatively, to specifically configure gh auth locally, you can use: `echo "${GH_TOKEN}" | gh auth login --with-token`)*
|
||||||
1. The PEM key matches the App ID
|
|
||||||
2. The Installation ID is valid for this App
|
|
||||||
3. The system clock is accurate (JWT `iat`/`exp` are time-sensitive)
|
|
||||||
|
|
||||||
### 3. Authenticate the gh CLI
|
|
||||||
|
|
||||||
```bash
|
|
||||||
echo "${INSTALL_TOKEN}" | gh auth login --with-token
|
|
||||||
```
|
|
||||||
|
|
||||||
Verify it worked:
|
Verify it worked:
|
||||||
|
|
||||||
@@ -76,7 +64,7 @@ The installation access token expires after 1 hour. There is nothing to revoke u
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
curl -s -X DELETE \
|
curl -s -X DELETE \
|
||||||
-H "Authorization: Bearer ${INSTALL_TOKEN}" \
|
-H "Authorization: Bearer ${GH_TOKEN}" \
|
||||||
-H "Accept: application/vnd.github+json" \
|
-H "Accept: application/vnd.github+json" \
|
||||||
"https://api.github.com/installation/token"
|
"https://api.github.com/installation/token"
|
||||||
```
|
```
|
||||||
|
|||||||
+17
-2
@@ -47,5 +47,20 @@ SIG=$(printf '%s' "${SIGNED_CONTENT}" | openssl dgst -binary -sha256 -sign "${GI
|
|||||||
|
|
||||||
JWT=$(printf '%s.%s' "${SIGNED_CONTENT}" "${SIG}")
|
JWT=$(printf '%s.%s' "${SIGNED_CONTENT}" "${SIG}")
|
||||||
|
|
||||||
# Echo the token to stdout as expected by the skill
|
# Exchange JWT for an installation access token
|
||||||
echo "${JWT}"
|
RESPONSE=$(curl -s -X POST \
|
||||||
|
-H "Authorization: Bearer ${JWT}" \
|
||||||
|
-H "Accept: application/vnd.github+json" \
|
||||||
|
-H "X-GitHub-Api-Version: 2022-11-28" \
|
||||||
|
"https://api.github.com/app/installations/${GITHUB_APP_INSTALLATION_ID}/access_tokens")
|
||||||
|
|
||||||
|
INSTALL_TOKEN=$(printf '%s' "${RESPONSE}" | jq -r '.token // empty')
|
||||||
|
|
||||||
|
if [[ -z "${INSTALL_TOKEN}" ]]; then
|
||||||
|
echo "error: failed to generate installation token" >&2
|
||||||
|
echo "${RESPONSE}" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Output the export command so it can be eval'd by the caller
|
||||||
|
echo "export GH_TOKEN=\"${INSTALL_TOKEN}\""
|
||||||
Reference in New Issue
Block a user