diff --git a/.github/actions/gh-app-token/action.yml b/.github/actions/gh-app-token/action.yml new file mode 100644 index 0000000000000..69ecc49a98a67 --- /dev/null +++ b/.github/actions/gh-app-token/action.yml @@ -0,0 +1,50 @@ +name: "Get GitHub App access token" +description: "Gets an access token for a GitHub App" +inputs: + app_id: + description: "App ID (not the client ID)." + private_key: + description: "App private key." + repo: + description: "Repository, if not the current one." + default: ${{ github.repository }} +outputs: + token: + description: "Access token." + value: ${{ steps.run.outputs.token }} +runs: + using: composite + steps: + - id: run + shell: bash + env: + ID: ${{ inputs.app_id }} + KEY: ${{ inputs.private_key }} + REPO: ${{ inputs.repo }} + run: | + HEADER=$( jq -cjn '{ alg: "RS256" }' | base64 -w 0 | tr -d $'=\n' | tr /+ _- ) + PAYLOAD=$( jq -cjn --arg id "$ID" '{ iat: ( now | floor ), exp: ( now + 600 | floor ), "iss": ( $id | tonumber ) }' | base64 | tr -d $'=\n' | tr /+ _- ) + SIGNATURE=$( printf "%s.%s" "$HEADER" "$PAYLOAD" | openssl dgst -sha256 -sign /dev/fd/3 -binary 3<<<"$KEY" | base64 | tr -d $'=\n' | tr /+ _- ) + JWT_TOKEN=$HEADER.$PAYLOAD.$SIGNATURE + + echo "::add-mask::$JWT_TOKEN" + + JSON=$( curl -v -L --header "Authorization: Bearer $JWT_TOKEN" --url "https://api.github.com/repos/$REPO/installation" ) || { echo "::error::Failed to query installation from GitHub"; echo "$JSON"; exit 1; } + INSTALLATION_ID=$( jq -r '.id // ""' <<<"$JSON" ) + if [[ -z "$INSTALLATION_ID" ]]; then + echo "::error::Failed to query installation from GitHub: $(jq -r '.message // "Unknown error"' <<<"$JSON")" + echo "$JSON" + exit 1 + fi + echo "Installation ID: $INSTALLATION_ID" + + JSON=$( curl -v -L --header "Authorization: Bearer $JWT_TOKEN" --url "https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens" --data '{}' ) || { echo "::error::Failed to create installation access token"; echo "$JSON"; exit 1; } + INSTALLATION_TOKEN=$( jq -r '.token // ""' <<<"$JSON" ) + if [[ -z "$INSTALLATION_TOKEN" ]]; then + echo "::error::Failed to create installation access token: $(jq -r '.message // "Unknown error"' <<<"$JSON")" + echo "$JSON" + exit 1 + fi + + echo "::add-mask::$INSTALLATION_TOKEN" + echo "token=$INSTALLATION_TOKEN" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/post-build.yml b/.github/workflows/post-build.yml index f1c9dba18e2e2..155ec5bdfb8ce 100644 --- a/.github/workflows/post-build.yml +++ b/.github/workflows/post-build.yml @@ -39,7 +39,7 @@ jobs: - name: Get token id: get_token - uses: getsentry/action-github-app-token@v2.0.0 + uses: ./.github/actions/gh-app-token with: app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} @@ -67,7 +67,7 @@ jobs: - name: Get token id: get_token - uses: getsentry/action-github-app-token@v2.0.0 + uses: ./.github/actions/gh-app-token with: app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} @@ -131,7 +131,7 @@ jobs: - name: Get token id: get_token if: ${{ ! success() }} - uses: getsentry/action-github-app-token@v2.0.0 + uses: ./.github/actions/gh-app-token with: app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} @@ -159,7 +159,7 @@ jobs: - name: Get token id: get_token - uses: getsentry/action-github-app-token@v2.0.0 + uses: ./.github/actions/gh-app-token with: app_id: ${{ secrets.JP_LAUNCH_CONTROL_ID }} private_key: ${{ secrets.JP_LAUNCH_CONTROL_KEY }} @@ -212,7 +212,7 @@ jobs: - name: Get token id: get_token - uses: getsentry/action-github-app-token@v2.0.0 + uses: ./monorepo/.github/actions/gh-app-token env: # Work around a weird node 16/openssl 3 issue in the docker env OPENSSL_CONF: '/dev/null'