-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Yoriyasu Yano <[email protected]>
- Loading branch information
1 parent
a056ba2
commit 7cf4299
Showing
3 changed files
with
205 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,16 @@ | ||
module github.com/fensak-io/github-app-token | ||
|
||
go 1.21.3 | ||
go 1.20 | ||
|
||
require ( | ||
github.com/go-resty/resty/v2 v2.10.0 | ||
github.com/golang-jwt/jwt/v5 v5.1.0 | ||
github.com/urfave/cli/v2 v2.25.7 | ||
) | ||
|
||
require ( | ||
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect | ||
github.com/russross/blackfriday/v2 v2.1.0 // indirect | ||
github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect | ||
golang.org/x/net v0.17.0 // indirect | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w= | ||
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= | ||
github.com/go-resty/resty/v2 v2.10.0 h1:Qla4W/+TMmv0fOeeRqzEpXPLfTUnR5HZ1+lGs+CkiCo= | ||
github.com/go-resty/resty/v2 v2.10.0/go.mod h1:iiP/OpA0CkcL3IGt1O0+/SIItFUbkkyw5BGXiVdTu+A= | ||
github.com/golang-jwt/jwt/v5 v5.1.0 h1:UGKbA/IPjtS6zLcdB7i5TyACMgSbOTiR8qzXgw8HWQU= | ||
github.com/golang-jwt/jwt/v5 v5.1.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= | ||
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= | ||
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= | ||
github.com/urfave/cli/v2 v2.25.7 h1:VAzn5oq403l5pHjc4OhD54+XGO9cdKVL/7lDjF+iKUs= | ||
github.com/urfave/cli/v2 v2.25.7/go.mod h1:8qnjx1vcq5s2/wpsqoZFndg2CE5tNFyrTvS6SinrnYQ= | ||
github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU= | ||
github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8= | ||
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= | ||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= | ||
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= | ||
golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= | ||
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= | ||
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= | ||
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= | ||
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= | ||
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= | ||
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= | ||
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= | ||
golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= | ||
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= | ||
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= | ||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= | ||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= | ||
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= | ||
golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= | ||
golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= | ||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= | ||
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= | ||
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= | ||
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= | ||
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= | ||
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= | ||
golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= | ||
golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= | ||
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= | ||
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= | ||
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= | ||
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= | ||
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,141 @@ | ||
package main | ||
|
||
import ( | ||
"encoding/json" | ||
"errors" | ||
"fmt" | ||
"os" | ||
"strconv" | ||
"time" | ||
|
||
"github.com/go-resty/resty/v2" | ||
"github.com/golang-jwt/jwt/v5" | ||
"github.com/urfave/cli/v2" | ||
) | ||
|
||
var httpClt = resty.New() | ||
|
||
func main() { | ||
app := &cli.App{ | ||
Name: "github-app-token", | ||
Usage: "Generate a JWT token that can be used to authenticate as a GitHub App.", | ||
Flags: []cli.Flag{ | ||
&cli.DurationFlag{ | ||
Name: "expiry", | ||
Aliases: []string{"e"}, | ||
Value: 5 * time.Minute, | ||
Usage: "amount of time before the JWT token expires, as a duration (e.g., 15m)", | ||
}, | ||
&cli.StringFlag{ | ||
Name: "repo", | ||
Aliases: []string{"r"}, | ||
Usage: "the full repository name that the token is scoped for (e.g., fensak-io/github-app-token). Required.", | ||
}, | ||
}, | ||
Action: func(ctx *cli.Context) error { | ||
expiry := ctx.Duration("expiry") | ||
repo := ctx.String("repo") | ||
if repo == "" { | ||
return errors.New("--repo is required") | ||
} | ||
appID := os.Getenv("GITHUB_APP_ID") | ||
if appID == "" { | ||
return errors.New("env var GITHUB_APP_ID is required to be set") | ||
} | ||
pemKey := os.Getenv("GITHUB_APP_PRIVATE_KEY") | ||
if pemKey == "" { | ||
return errors.New("env var GITHUB_APP_PRIVATE_KEY is required to be set") | ||
} | ||
|
||
jwt, err := generateAppJWT(appID, []byte(pemKey), expiry) | ||
if err != nil { | ||
return err | ||
} | ||
instID, err := getInstallationID(jwt, repo) | ||
if err != nil { | ||
return err | ||
} | ||
token, err := getAccessToken(jwt, instID) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
fmt.Println(token) | ||
|
||
return nil | ||
}, | ||
} | ||
|
||
if err := app.Run(os.Args); err != nil { | ||
fmt.Fprintf(os.Stderr, "ERROR %s\n", err) | ||
os.Exit(1) | ||
} | ||
} | ||
|
||
// Generate a signed JWT token that can be used to authenticate as a GitHub App. | ||
// See https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app | ||
func generateAppJWT(appID string, pemKey []byte, expiry time.Duration) (string, error) { | ||
iss := time.Now().Add(-30 * time.Second).Truncate(time.Second) | ||
exp := iss.Add(expiry).Truncate(time.Second) | ||
token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{ | ||
"iat": jwt.NewNumericDate(iss), | ||
"exp": jwt.NewNumericDate(exp), | ||
"iss": appID, | ||
}) | ||
|
||
privateKey, err := jwt.ParseRSAPrivateKeyFromPEM(pemKey) | ||
if err != nil { | ||
return "", err | ||
} | ||
|
||
return token.SignedString(privateKey) | ||
} | ||
|
||
func getInstallationID(jwt, repo string) (string, error) { | ||
resp, err := httpClt.R(). | ||
SetHeader("Accept", "application/json"). | ||
SetAuthToken(jwt). | ||
Get(fmt.Sprintf("https://api.github.com/repos/%s/installation", repo)) | ||
if err != nil { | ||
return "", err | ||
} | ||
|
||
var respData map[string]any | ||
if err := json.Unmarshal([]byte(resp.String()), &respData); err != nil { | ||
return "", err | ||
} | ||
installationIDRaw, ok := respData["id"] | ||
if !ok { | ||
return "", errors.New("installation ID is missing") | ||
} | ||
installationID, ok := installationIDRaw.(float64) | ||
if !ok { | ||
return "", fmt.Errorf("installation ID %s is not a number", installationIDRaw) | ||
} | ||
return strconv.FormatInt(int64(installationID), 10), nil | ||
} | ||
|
||
func getAccessToken(jwt, instID string) (string, error) { | ||
resp, err := httpClt.R(). | ||
SetHeader("Accept", "application/json"). | ||
SetAuthToken(jwt). | ||
Post(fmt.Sprintf("https://api.github.com/app/installations/%s/access_tokens", instID)) | ||
if err != nil { | ||
return "", err | ||
} | ||
|
||
var respData map[string]any | ||
if err := json.Unmarshal([]byte(resp.String()), &respData); err != nil { | ||
return "", err | ||
} | ||
tokenRaw, ok := respData["token"] | ||
if !ok { | ||
return "", errors.New("access token is missing") | ||
} | ||
token, ok := tokenRaw.(string) | ||
if !ok { | ||
return "", fmt.Errorf("token %v is not a string", tokenRaw) | ||
} | ||
|
||
return token, nil | ||
} |