-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: Cannot get repo #126
Comments
Interestingly, explicitly generating the JWT and IAT, without using - name: Generate JWT
run: |
set -o pipefail
app_id=${{ secrets.GEDBOT_APP_ID }} # App ID as first argument
pem="${{ secrets.GEDBOT_APP_PEM_FILE }}" # file path of the private key as second argument
now=$(date +%s)
iat=$((${now} - 60)) # Issues 60 seconds in the past
exp=$((${now} + 600)) # Expires 10 minutes in the future
b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
header_json='{
"typ":"JWT",
"alg":"RS256"
}'
# Header encode
header=$( echo -n "${header_json}" | b64enc )
payload_json='{
"iat":'"${iat}"',
"exp":'"${exp}"',
"iss":'"${app_id}"'
}'
# Payload encode
payload=$( echo -n "${payload_json}" | b64enc )
# Signature
header_payload="${header}"."${payload}"
signature=$(
openssl dgst -sha256 -sign <(echo -n "${pem}") \
<(echo -n "${header_payload}") | b64enc
)
# Create JWT
JWT="${header_payload}"."${signature}" >> $GITHUB_ENV
printf '%s\n' "JWT: $JWT"
echo "JWT=$JWT" >> $GITHUB_ENV
- name: set_IAT
run: |
jq --version
echo "JWT=$JWT"
IAT_RESPONSE=$(curl --request POST \
--url "https://api.github.com/app/installations/$GITHUB_APP_INSTALLATION_ID/access_tokens" \
--header "Accept: application/vnd.github+json" \
--header "Authorization: Bearer ${{ env.JWT }}" \
--header "X-GitHub-Api-Version: 2022-11-28")
echo "IAT_RESPONSE=$IAT_RESPONSE"
IAT=$(echo $IAT_RESPONSE | jq '.token')
printf '%s\n' "IAT: $IAT"
echo "IAT=$IAT" >> $GITHUB_ENV
- name: get_response
run: |
echo $IAT
response=$(curl --request GET \
--url "https://api.github.com/repos/geddesfamily/estate-config/branches" \
--header "Accept: application/vnd.github+json" \
--header "Authorization: Bearer ${{ env.IAT }}" \
--header "X-GitHub-Api-Version: 2022-11-28")
echo "response=$response" returns
Ultimately, I am trying to commit to a repo as the GitHub app, so any suggestions would be appreciated. |
I have been able to commit to the other repo by explicitly generating the JWT and IAT. Would be good if this was possible in the create-github-app-token action. |
be default, the token created with The only permission you need to check out a repository is |
Repost from Community Discussion: It seems you have 3 processes going on within the
Unsure why you need to do a |
@jamesgeddes I'm having the same issue at here, I've tried to set the owners and repositories parameters for the action, add all the correct permissions to the app and even with that nothing works, I've used your approach and it worked like a charm, thanks for that. |
scratch that, covered here: #76 (comment) |
Hi All,
I am setting up a github bot for use with github actions, but it cannot access the repos API endpoint.
Here are the permissions that the bot is set to (way too permissive, I know, but I am just testing).
Here is my test action workflow
I can confirm that
geddesfamily/estate-config
does exist.This returns
I feel like this covers all bases to mitigate the risk of the problem being cause by my idiocy, however it is always a possibility!
Is this a bug in the token gen step?
The text was updated successfully, but these errors were encountered: