From b4973cc129aea5a1654fddb2159cfb9c5f787e94 Mon Sep 17 00:00:00 2001 From: "privilegedescalation-engineer[bot]" <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 01:56:23 +0000 Subject: [PATCH] Add get-github-token.sh script for GitHub App authentication (#82) This script was previously unversioned at /paperclip/privilegedescalation/agents/. Moving it here enables proper PR-based review of changes. The script generates GitHub App installation access tokens by: 1. Building a JWT using the GitHub App ID and PEM key 2. Fetching the installation ID 3. Exchanging for an installation access token Used by all agents for GitHub API access. Co-authored-by: Hugh Hackman --- scripts/get-github-token.sh | 67 +++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100755 scripts/get-github-token.sh diff --git a/scripts/get-github-token.sh b/scripts/get-github-token.sh new file mode 100755 index 0000000..48fe0bb --- /dev/null +++ b/scripts/get-github-token.sh @@ -0,0 +1,67 @@ +#!/usr/bin/env bash +set -euo pipefail +# +# Generates a GitHub App installation access token. +# Reads credentials from env vars set in each agent's adapter config: +# GITHUB_APP_ID_ — the GitHub App ID +# GITHUB_PEM_PATH_ — path to the private key PEM file +# +# Usage: export GH_TOKEN=$(bash /paperclip/privilegedescalation/agents/get-github-token.sh) + +# Auto-detect credentials from env (each agent has exactly one of each) +# Try suffix-based first (GITHUB_APP_ID_), then fall back to no-suffix (GITHUB_APP_ID) +APP_ID=$(printenv | grep '^GITHUB_APP_ID_' | head -1 | cut -d= -f2 || true) +if [[ -z "${APP_ID:-}" ]]; then + APP_ID="${GITHUB_APP_ID:-}" +fi +PEM_PATH=$(printenv | grep '^GITHUB_PEM_PATH_' | head -1 | cut -d= -f2 || true) +if [[ -z "${PEM_PATH:-}" ]]; then + PEM_PATH="${GITHUB_APP_PEM_FILE:-}" +fi + +if [[ -z "${APP_ID:-}" || -z "${PEM_PATH:-}" ]]; then + echo "Error: GITHUB_APP_ID and GITHUB_APP_PEM_FILE (or GITHUB_APP_ID_ and GITHUB_PEM_PATH_) env vars must be set" >&2 + exit 1 +fi + +if [[ ! -f "$PEM_PATH" ]]; then + echo "Error: PEM file not found at $PEM_PATH" >&2 + exit 1 +fi + +# --- Build JWT (RS256) --- +b64url() { openssl base64 -e -A | tr '+/' '-_' | tr -d '='; } + +NOW=$(date +%s) +HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | b64url) +PAYLOAD=$(printf '{"iat":%d,"exp":%d,"iss":"%s"}' "$((NOW - 60))" "$((NOW + 600))" "$APP_ID" | b64url) +SIGNATURE=$(printf '%s.%s' "$HEADER" "$PAYLOAD" \ + | openssl dgst -sha256 -sign "$PEM_PATH" | b64url) +JWT="${HEADER}.${PAYLOAD}.${SIGNATURE}" + +# --- Get installation ID (first installation for this app) --- +INSTALLATION_ID=$(curl -sf \ + -H "Authorization: Bearer $JWT" \ + -H "Accept: application/vnd.github+json" \ + https://api.github.com/app/installations \ + | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['id'])") + +if [[ -z "$INSTALLATION_ID" ]]; then + echo "Error: Could not get installation ID for app $APP_ID" >&2 + exit 1 +fi + +# --- Exchange for installation access token --- +TOKEN=$(curl -sf -X POST \ + -H "Authorization: Bearer $JWT" \ + -H "Accept: application/vnd.github+json" \ + "https://api.github.com/app/installations/${INSTALLATION_ID}/access_tokens" \ + | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])") + +if [[ -z "$TOKEN" ]]; then + echo "Error: Could not get installation access token" >&2 + exit 1 +fi + +echo "$TOKEN" +