gb_flea/skills
1
0
Fork 0
forked from farhoodlabs/skills
Code Pull Requests Activity

refactor: rewrite JWT generation from python to bash

Browse Source 
Replaced generate_jwt.py with generate_jwt.sh using only openssl and
coreutils. Updated SKILL.md to remove the python fallback section and
use grep/cut for JSON parsing instead of python3.
This commit is contained in:
Chris Farhood
2026-03-25 21:46:02 -04:00
parent f425b5191e
commit dedb35953b
3 changed files with 49 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files
github-app-token/SKILL.md
+8 -25
View File
@@ -19,19 +19,18 @@ The following environment variables MUST be set before invoking this skill:
If any variable is missing, stop and tell the user which ones are required.
Requires `openssl`, `curl`, and `grep` (standard on macOS and Linux).
## Steps
### 1. Generate a JWT
Create a JWT signed with the GitHub App's private key. You MUST use the helper script bundled with this skill:
Run the helper script bundled with this skill:
```bash
# generates a JWT valid for 10 minutes
TOKEN=$(python3 "$(dirname "$0")/../skills/github-app-token/scripts/generate_jwt.py")
TOKEN=$(bash /path/to/skills/github-app-token/scripts/generate_jwt.sh)
```
If `python3` is not available, fall back to the inline openssl method described in the Fallback section below.
The JWT uses:
- **Algorithm**: RS256
- **Header**: `{"alg": "RS256", "typ": "JWT"}`
@@ -43,12 +42,13 @@ The JWT uses:
### 2. Exchange the JWT for an installation access token
```bash
INSTALL_TOKEN=$(curl -s -X POST \
RESPONSE=$(curl -s -X POST \
-H "Authorization: Bearer ${TOKEN}" \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/app/installations/${GITHUB_APP_INSTALLATION_ID}/access_tokens" \
| python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")
"https://api.github.com/app/installations/${GITHUB_APP_INSTALLATION_ID}/access_tokens")
INSTALL_TOKEN=$(echo "$RESPONSE" | grep -o '"token":"[^"]*"' | head -1 | cut -d'"' -f4)
```
If the response contains an error (e.g., `401 Unauthorized`), check:
@@ -81,23 +81,6 @@ curl -s -X DELETE \
"https://api.github.com/installation/token"
```
## Fallback: JWT generation without Python
If `python3` is unavailable, generate the JWT using `openssl` and `bash`:
```bash
header=$(printf '{"alg":"RS256","typ":"JWT"}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
now=$(date +%s)
iat=$((now - 60))
exp=$((now + 600))
payload=$(printf '{"iat":%d,"exp":%d,"iss":"%s"}' "$iat" "$exp" "$GITHUB_APP_ID" | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
unsigned="${header}.${payload}"
signature=$(printf '%s' "$unsigned" | openssl dgst -sha256 -sign "${GITHUB_APP_PEM_FILE}" -binary | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
TOKEN="${unsigned}.${signature}"
```
Then continue from Step 2.
## Security Notes
- Never log or echo the PEM key, JWT, or installation token to stdout in production.