actions / create-github-app-token Goto Github PK
View Code? Open in Web Editor NEWGitHub Action for creating a GitHub App Installation Access Token
Home Page: https://github.com/marketplace/actions/create-github-app-token
License: MIT License
GitHub Action for creating a GitHub App Installation Access Token
Home Page: https://github.com/marketplace/actions/create-github-app-token
License: MIT License
Hi folks, I wanted to reach out to you on this action, seems like this is duplicating the effort of @peter-murray's excellent Action for just the same thing. I'd either expect a move of Peter's repo or a fork, instead of a rewrite. Peter's action has been the go-to for several years now, and already has features like:
Last time I checked Peter still works at GitHub, so communication should flow for this :-D.
The automated release workflow is currently failing:
https://github.com/actions/create-github-app-token/actions/runs/5943089105/job/16117440283
This is a follow up to #4 (comment)
@kmaehashi had posted the following request here
Under the GitHub Enterprise Cloud setup, we are often required to access repositories under multiple organizations. It would be great if you consider covering the checkout use case like these:
# Checkout orgA/repoA and orgB/repoB - uses: actions/create-github-app-token@v1 id: app-token with: app_id: ${{ vars.APP_ID }} private_key: ${{ secrets.PRIVATE_KEY }} repositories: orgA/repoA, orgB/repoB - uses: actions/checkout@v4 with: repository: 'orgA/repoA' token: ${{ steps.app-token.outputs.token }} - uses: actions/checkout@v4 with: repository: 'orgB/repoB' token: ${{ steps.app-token.outputs.token }}# Checkout the current repository which has orgA/repoA and orgB/repoB as submodule - uses: actions/create-github-app-token@v1 id: app-token with: app_id: ${{ vars.APP_ID }} private_key: ${{ secrets.PRIVATE_KEY }} repositories: ${{ github.repository }}, orgA/repoA, orgB/repoB - uses: actions/checkout@v4 with: submodules: true token: ${{ steps.app-token.outputs.token }}
Unfortunately, an installation access token can by design only access a single account (GitHub user or organization account). There cannot be a single token that has access across multiple organizations.
But I've run into this requirement before and I see a possible workaround that would require an additional action and the user of matrix.
actions/get-app-installation-ids
, it would take app_id
and private_key
as arguments, and optionally a list of logins to filter down the installations. The action would have installation_ids
and installation_logins
outputs.strategy.matrix
in a second job, so all steps would be run for each of the installation IDsactions/create-github-app-token
could be used to create an installation access token for that particular installationI'm however not sure how we could filter down to specific repositories across multiple organizations. I'd need to experiment myself to see what's possible. Maybe the actions/get-app-installation-ids
could take an argument like you suggest (say repositories: orgA/repoA, orgA/repoB, orgB/repoC
) and then have a nested output like this: [["orgA", "repoA, repoB"],["orgB", "repoC"]]
which we could could iterate through using the matrix and then split out the items like ["orgA", "repoA, repoB"]
into owner: orgA, repositories: repoA, Repo B
As a rule of thumb, in all code that works with the network, the network will always one day fail.
For that reason, it will be great to implement a retry logic inside of the action so that the requests made to the GitHub API have a retry logic.
Also, we can expose the retry parameters to the user.
attempt_limit:
description: Number of attempts
required: false
default: 2
attempt_delay:
description: A delay between attempts in ms
required: false
default: 0
In my workflow, I use aws-actions/configure-aws-credentials for OIDC authentication via GitHub.
This is a sample workflow:
name: Build
on:
push:
branches: [main]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Generate a token
id: generate_token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ vars.AWS_GITHUB_ROLE_ARN }}
aws-region: us-east-1
It fails because configure-aws-credentials
action needs to get a JWT from Github using @actions/core, which in turn requires the environment variables below to be set:
It seems these are only set when adding permissions
with id-token: write
to my workflow, but since I'm using my custom GitHub App token, I was expecting not to be required to add a permissions
to my workflow since I want to leverage my GitHub App permissions, and permissions
as far as I know is used to configure permissions to the GITHUB_TOKEN auto-generated by workflows (not to my custom app token).
Is it possible for the create-github-app-token
to set the ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL so it can be used seamlessly with the actions/toolkit from GitHub (not only by AWS, but any action that relies on it for OIDC authentication)?
Thanks!!!
Hello!
Im developing a git bot that can be integrated with Github.
Up until now we used the auto-generated GITHUB_TOKEN for this product so it can create new PRs in a git repository.
The bot can be triggered manually or periodically as an Github Action.
So far it worked fine but suddenly whenever a new PR is opened by the bot's action it will not trigger other workflows that should be triggered in the repository.
I read your docs that using GITHUB_TOKEN doesn't allow a workflow to trigger another workflow.
I wanted to ask when this change was introduced? We didn't experience this issue so far.
Is using GitHub app token or private token the only replacements I can use to achieve what I want?
Thank you!
Build: https://github.com/actions/create-github-app-token/actions/runs/6841698226/job/18603233519
✘ An error occurred while running semantic-release: Error: Command failed with exit code 1: git push --tags https://x-access-token:[secure]@github.com/actions/create-github-app-token HEAD:main
remote: error: GH013: Repository rule violations found for refs/heads/main.
remote: Review all repository rules at http://github.com/actions/create-github-app-token/rules?ref=refs%2Fheads%2Fmain
remote:
remote: - Changes must be made through a pull request.
remote:
remote: - 2 of 2 required status checks are expected.
remote:
However, the app that we authenticate with for the semantic-release setup is configured to bypass the rule:
So I'm not sure what's up, I'm pretty sure this worked before 🤷
originally posted by @harshtrivedi134 at octokit/octokit.js#2569
Reference from discussion
I was creating an access token for a github app installed in a different organization and repository. I learned about https://github.com/actions/create-github-app-token#create-a-token-for-all-repositories-in-another-owners-installation.
Similar to the baseUrl
option in Octokit constructor, it would be great if we could specify the github API url as an input to this action
- uses: actions/create-github-app-token@v1
id: get-access-token
with:
app-id: APP_ID
private-key: PRIVATE_KEY
base-url: https://slack-github.com/api/
I tried creating an access token for my github app installed in a different organization by specifying the owner and repository using the following:
- uses: actions/create-github-app-token@v1
id: get-access-token
with:
app-id: APP_ID
private-key: PRIVATE_KEY
owner: "owner"
repositories: |
owner/repo_name
However, the default github API hostname/url is set to api.github.com
and we cannot change it to a custom hosted github installation.
GitHub now recommends using the clientId instead of the appId/privateKey
Augment the options to allow clientId/clientSecret, validating that either this pair or appId/privateKey are provided, and pass these options along in the call to createAppAuth
.
Relates to #54
From #54:
Currently,
actions/create-github-app-token
always/unconditionally revokes the installation access token in a post step, at the completion of the current job. This prevents tokens from being used in other jobs.
My team runs workflows that retrieve tokens for multiple hosts and multiple orgs.
As detailed in https://github.com/github/accessibility/discussions/4438 (only accessible to Hubbers), we use environment secrets to keep secrets (e.g. app id, installation id, and private key) organized.
Since individual steps cannot access an arbitrary environment’s secrets (i.e. there is no jobs.<job_id>.steps[*].environment
), we use multiple jobs, one job per environment.
After we obtain a token using a given environment’s secrets, it’s encrypted and then made available to a subsequent job. However, if the token is revoked at the completion of the job that retrieves it, then the next job can’t use it.
actions/create-github-app-token
should support opting-out of revocation. This could be accomplished by introducing a new input, e.g. revoke: ("true"|"false")
, as in #54.
Reading through the code, it wouldn’t hurt to explicitly add a mask for the token. Runner will pattern match against the GitHub token formats it recognizes, but sometimes a new pattern roles out that the runner isn’t updated for yet.
See https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret. Add to end of /main/lib/main.js
Would be nice if there was someway of logging the x-github-request-id header.
It would be helpful to have this in cases where the attempt to get a token from app/installations/<installation_id>/access_tokens fails with a "Network Error" where it fails to reach api.github.com for some reason versus any case when GitHub.com is responding with an error.
I have an app installation set up on an organisation, having followed the docs on this repo. It appears the lookup is being done against the /users/...
endpoint which doesn't seem correct for an organisation?
Run actions/create-github-app-token@v1
with:
app-id: ***
private-key: ***
owner: pre-quantum-research
repositories not set, creating token for all repositories for given owner "pre-quantum-research"
RequestError [HttpError]: Not Found
at /home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:2890:25
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async main (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:10071:22) {
status: 404,
response: {
url: 'https://api.github.com/users/pre-quantum-research/installation',
status: 404,
headers: {
'access-control-allow-origin': '*',
'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
'content-encoding': 'gzip',
'content-security-policy': "default-src 'none'",
'content-type': 'application/json; charset=utf-8',
date: 'Mon, 06 Nov 2023 16:52:05 GMT',
'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
server: 'GitHub.com',
'strict-transport-security': 'max-age=3[15](https://github.com/pre-quantum-research/pqc-data/actions/runs/6773907521/job/18409828846#step:2:16)36000; includeSubdomains; preload',
'transfer-encoding': 'chunked',
vary: 'Accept-Encoding, Accept, X-Requested-With',
'x-content-type-options': 'nosniff',
'x-frame-options': 'deny',
'x-github-api-version-selected': '2022-11-28',
'x-github-media-type': 'github.v3; format=json',
'x-github-request-id': '4820:56A0:49A3574:96BB6B3:6549[19](https://github.com/pre-quantum-research/pqc-data/actions/runs/6773907521/job/18409828846#step:2:21)B5',
'x-xss-protection': '0'
},
data: {
message: 'Not Found',
documentation_url: 'https://docs.github.com/rest/apps/apps#get-a-user-installation-for-the-authenticated-app'
}
},
request: {
method: 'GET',
url: 'https://api.github.com/users/pre-quantum-research/installation',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'actions/create-github-app-token',
authorization: 'bearer [REDACTED]'
}
}
}
This example does not look complete.
Originally posted by @parkerbxyz in #88 (comment)
create-github-app-token/README.md
Lines 178 to 182 in 86576b3
Hi, it seems that this action does not respect the env proxy settings and you cannot set https_proxy for this workflow.
Its prevents running on selfhosted runners
Warning: Unexpected input(s) 'https_proxy', valid inputs are ['app-id', 'app_id', 'private-key', 'private_key', 'owner', 'repositories', 'skip-token-revoke', 'skip_token_revoke', 'github-api-url']
I am trying to checkout repo i github enterprise with this workflow, but i am getting the error as
Retrieving the default branch name Not Found
while i looked some other third party workflows, it worked.
eg: https://github.com/peter-murray/workflow-application-token-action
could you please help us here
Regards,
Atib
I'm seeing the following warning in the post job cleanup step:
Post job cleanup.
Warning: Token revocation failed: Bad credentials - https://docs.github.com/rest
Probably because the token was already invalidated, because the job took more than 1h to run (see #121).
No issue here other than there shouldn't be any warning in this case.
When the steps after creating the app token take more than one hour, revoking the token in the post step of the job fails with 401 Bad credentials
2023-11-03T08:17:49.8021984Z ##[group]Run actions/create-github-app-token@v1
2023-11-03T08:17:49.8022321Z with:
2023-11-03T08:17:49.8022568Z app-id: ***
2023-11-03T08:17:49.8029074Z private-key: ***
**2023-11-03T08:17:49**.8029317Z owner:
**Other jobs running for around 3 hrs**
Error in post job cleanup
**2023-11-03T11:28:30**.0046013Z Post job cleanup.
2023-11-03T11:28:30.0195545Z Post job cleanup.
2023-11-03T11:28:30.3211228Z RequestError [HttpError]: Bad credentials
2023-11-03T11:28:30.3233502Z ##[error]Bad credentials
2023-11-03T11:28:30.3234665Z at C:\actions-runner\_work\_actions\actions\create-github-app-token\v1\dist\post.cjs:2890:25
2023-11-03T11:28:30.3235686Z at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
2023-11-03T11:28:30.3237018Z at async post (C:\actions-runner\_work\_actions\actions\create-github-app-token\v1\dist\post.cjs:2996:3) {
2023-11-03T11:28:30.3237833Z status: 401,
2023-11-03T11:28:30.3238145Z response: {
2023-11-03T11:28:30.3238651Z url: 'https://api.github.com/installation/token',
2023-11-03T11:28:30.3239157Z status: 401,
2023-11-03T11:28:30.3239481Z headers: {
2023-11-03T11:28:30.3239914Z 'access-control-allow-origin': '*',
2023-11-03T11:28:30.3242327Z 'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
2023-11-03T11:28:30.3244679Z 'content-length': '80',
2023-11-03T11:28:30.3245298Z 'content-security-policy': "default-src 'none'",
2023-11-03T11:28:30.3245984Z 'content-type': 'application/json; charset=utf-8',
2023-11-03T11:28:30.3246616Z date: 'Fri, 03 Nov 2023 11:28:30 GMT',
2023-11-03T11:28:30.3247427Z 'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
2023-11-03T11:28:30.3248174Z server: 'GitHub.com',
2023-11-03T11:28:30.3248880Z 'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
2023-11-03T11:28:30.3249999Z vary: 'Accept-Encoding, Accept, X-Requested-With',
2023-11-03T11:28:30.3250499Z 'x-content-type-options': 'nosniff',
2023-11-03T11:28:30.3250879Z 'x-frame-options': 'deny',
2023-11-03T11:28:30.3251281Z 'x-github-media-type': 'github.v3; format=json',
2023-11-03T11:28:30.3251806Z 'x-github-request-id': 'XXXXXXXXXXXXXXXXXXXXXXX
2023-11-03T11:28:30.3252248Z 'x-ratelimit-limit': '60',
2023-11-03T11:28:30.3252595Z 'x-ratelimit-remaining': '60',
2023-11-03T11:28:30.3253035Z 'x-ratelimit-reset': '1699014510',
2023-11-03T11:28:30.3253398Z 'x-ratelimit-resource': 'core',
2023-11-03T11:28:30.3253751Z 'x-ratelimit-used': '0',
2023-11-03T11:28:30.3254131Z 'x-xss-protection': '0'
2023-11-03T11:28:30.3254397Z },
2023-11-03T11:28:30.3254601Z data: {
2023-11-03T11:28:30.3259781Z message: 'Bad credentials',
2023-11-03T11:28:30.3260135Z documentation_url: 'https://docs.github.com/rest'
2023-11-03T11:28:30.3260442Z }
2023-11-03T11:28:30.3260614Z },
2023-11-03T11:28:30.3260784Z request: {
2023-11-03T11:28:30.3261004Z method: 'DELETE',
2023-11-03T11:28:30.3261311Z url: 'https://api.github.com/installation/token',
2023-11-03T11:28:30.3261614Z headers: {
2023-11-03T11:28:30.3261884Z accept: 'application/vnd.github.v3+json',
2023-11-03T11:28:30.3262256Z 'user-agent': 'actions/create-github-app-token',
2023-11-03T11:28:30.3262703Z authorization: 'token [REDACTED]'
2023-11-03T11:28:30.3262956Z }
2023-11-03T11:28:30.3263119Z }
2023-11-03T11:28:30.3263277Z }
Follow up to #39 (comment).
In preparation for #3 and #4 it might make sense to learn from similar actions.
We do have two private repositories in our organization, let's call them: library and project. The library is hosted in the Maven GitHub repository. The project workflow is using a personal access token for authorization (according to documentation.
Now we want to migrate to actions/create-github-app-token
, but I was unable to create a working solution.
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Get token from Github App
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.GET_TOKEN_APP_ID }}
private-key: ${{ secrets.GET_TOKEN_APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
- name: Set up Maven
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'corretto'
cache: 'maven'
server-username: MAVEN_USERNAME
server-password: MAVEN_PASSWORD
- name: Build and Package
run: |
cd project
mvn clean package
env:
MAVEN_USERNAME: ${{ github.actor }}
MAVEN_PASSWORD: ${{ steps.app-token.outputs.token }}
I've tried multiple configurations but always end up with the following error:
Authentication failed for https://maven.pkg.github.com//repo/..., status: 401 Unauthorized -> [Help 1]
What I'm guessing is that create-github-app-token doesn't support a personal access token. Could you confirm if this is the case?
I have the following step in my workflow
- name: Generate a token
id: generate-token
uses: actions/create-github-app-token@v1
with:
github-api-url: "https://custom.gitenterprise.com/api/v3"
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
The action fails but the step result is not failure
Error from the step
repositories not set, creating token for all repositories for given owner ""
Failed to create token for "" (attempt 1): 'Expiration time' claim ('exp') is too far in the future - https://docs.github.com/[email protected]/rest
The issue seems to be random as relaunching the job with debug enabled now it show the step as failed
##[debug]Evaluating condition for step: 'Generate a token'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Generate a token
##[debug]Register post job cleanup for action: actions/create-github-app-token@v1
##[debug]Loading inputs
##[debug]Evaluating: vars.APP_ID
##[debug]Evaluating Index:
##[debug]..Evaluating vars:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'APP_ID'
##[debug]=> '35'
##[debug]Result: '35'
##[debug]Evaluating: secrets.APP_PRIVATE_KEY
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'APP_PRIVATE_KEY'
##[debug]=> '***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]'
RequestError [HttpError]: 'Expiration time' claim ('exp') is too far in the future - https://docs.github.com/[email protected]/rest
at /scratch/ghe-runners/1/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:30470:21
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async hook (/scratch/ghe-runners/1/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:12119:22)
at async getTokenFromOwner (/scratch/ghe-runners/1/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:29956:20)
at async RetryOperation._fn (/scratch/ghe-runners/1/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:29856:24) {
status: 401,
request: {
method: 'GET',
url: 'https://custom.gitenterprise.com/api/v3/orgs/XAE/installation',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'actions/create-github-app-token',
authorization: 'bearer [REDACTED]'
},
request: { hook: [Function: bound hook] AsyncFunction }
},
response: {
url: 'https://custom.gitenterprise.com/api/v3/orgs/XAE/installation',
status: 401,
headers: {
'access-control-allow-origin': '*',
'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
'content-length': '143',
'content-security-policy': "default-src 'none'",
'content-type': 'application/json; charset=utf-8',
date: 'Thu, 28 Mar 2024 14:36:18 GMT',
'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
server: 'GitHub.com',
'strict-transport-security': 'max-age=31536000; includeSubdomains',
'x-content-type-options': 'nosniff',
'x-frame-options': 'deny',
'x-github-enterprise-version': '3.8.12',
'x-github-media-type': 'github.v3; format=json',
'x-github-request-id': '3f6bbd2b-182c-4923-8446-19f93fff227f',
'x-runtime-rack': '0.018151',
'x-xss-protection': '0'
},
data: {
message: "'Expiration time' claim ('exp') is too far in the future",
documentation_url: 'https://docs.github.com/[email protected]/rest'
}
},
attemptNumber: 4,
retriesLeft: 0
}
Error: 'Expiration time' claim ('exp') is too far in the future - https://docs.github.com/[email protected]/rest
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Generate a token
Sorry if this is already covered.
How long is a token created by create-github-app-token expected to last? It appears that it only lasts 1 hour so our longer Conan builds start failing to fetch repositories after 1 hour.
Is this customizable?
I'm not sure if it would be worth making a dedicated request to https://api.github.com/rate_limit
in this action to fetch this info, but I am assuming the API calls for token issuance/revocation return the usual rate limit headers? If so it would be nice to log these so that users can see the value of x-ratelimit-remaining
for the authenticated app.
follow up to: 2d5eced
Our idea is to add separate permission_*
parameters for each permission supported by GitHub Apps:
https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
The permission_*
keys can be generated based off https://github.com/octokit/app-permissions. Each time a new version of @octokit/app-permissions
is released, the action.yml
could be updated, in order to keep permissions always up-to-date. The README.md
should be updated as well to make sure the documentation is up-to-date as well. Most permissions can be set to read
or write
, some can also be set to admin
.
Having separate permissions has the benefit of code intelligence and errors shown directly on GitHub when an unknown permission is set due to a typo.
I have tried to use this action with a newly created internal github-app and get this error.
I guess it means my secret is wrong?
Could I have formatted it incorrectly?
Is it likely to be similar to this stackoverflow question? (PEM format, extra whitespace etc)
https://stackoverflow.com/questions/75635389/secretorprivatekey-must-be-an-asymmetric-key-when-using-rs256
Client Secret
key that I generated (42 char hex string)SHA256:<base64 string XYZ0123/=>
SHA256:
prefixat module2.exports [as sign] (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:10369:26)
Error: secretOrPrivateKey must be an asymmetric key when using RS256
at getToken (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:10500:27)
at githubAppJwt (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:10516:27)
at getAppAuthentication (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:11822:90)
at hook (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:12115:41)
at newApi (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:30550:36)
at getTokenFromOwner (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:29956:26)
at /home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:29937:71
at RetryOperation._fn (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:29856:30)
at Timeout. (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:12311:14)
I'm running a workflow (target-workflow.yml
) in another repository (target-repo
) of my organization using https://github.com/aurelien-baudet/workflow-dispatch (v2).
To that end I'm generating an app token with actions/create-github-app-token@v1
.
I can generate the token with no issues, and aurelien-baudet/workflow-dispatch@v2
manages to trigger target-workflow.yml
all right as well.
However, after some time, fetching the status of target-workflow
starts to fail with Warning: Failed to get workflow status: Bad credentials
. This causes my parent job to fail.
That seems to start happening after exactly 1h.
Am I correct that the token expires after 1h? Is it documented somewhere?
Also, is there a way to extend the lifetime of this token? Otherwise, do you suggest a workaround?
My workflow:
name: Run target-workflow.yml in other target-repo
permissions:
id-token: write
contents: read
jobs:
run-target-workflow:
name: Run target-workflow
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ... # My app id
private-key: ... # My private key
repositories: "target-repo"
- name: Run workflow in target-repo
uses: aurelien-baudet/workflow-dispatch@v2
with:
ref: main
repo: target-repo
workflow: target-workflow.yml
wait-for-completion: true
wait-for-completion-timeout: 2h
token: ${{ steps.app-token.outputs.token }}
inputs: ... # The relevant inputs to target-workflow
The output of aurelien-baudet/workflow-dispatch@v2
step:
Run aurelien-baudet/workflow-dispatch@v2
Workflow triggered 🚀
You can follow the running workflow here: https://github.com/...
Warning: The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
Waiting for workflow completion
Warning: Failed to get workflow status: Bad credentials
Warning: Failed to get workflow status: Bad credentials
Warning: Failed to get workflow status: Bad credentials
...
It currently says 1.0.5
create-github-app-token/package.json
Line 5 in 35d8ea9
but latest version is 1.1.4 at this point.
Hello team,
I'm using create-github-app-token action to generate token and i'm able to generate token successfully. But i want to store generated token from create-github-app-token action in AWS system manager( Parameter store ) and from parameter store i want to access GitHub REST API.
When i perform the step that i mentioned above i can see this output
{
"message": "Bad credentials",
"documentation_url": "https://docs.github.com/rest"
}
It seems stored token in AWS SSM is not correct.
When i use GitHub REST API in GitHub actions and use the generated token from create-github-app-token action, it works.
Can you help me in this why i'm not to able to use the stored token in GitHub REST APIs in different client's like Postman
According to the discussion here: https://github.com/orgs/community/discussions/24664, sometimes, we want to know the GitHub App's user name and user id (for the corresponding email address), it would be great if we can have those in the outputs.
This action could handle a little more flexibility in the repositories
input. A common mistake is to provide repositories: foo, bar
instead of repositories: foo,bar
if a token is needed for > 1 repository.
For example:
- name: Generate Github Actions App token
id: generate-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ env.GH_APP_APP_ID }}
private-key: ${{ env.GH_APP_PRIVATE_KEY }}
repositories: foo, bar
Fails to get a token because the body in the HTTP request to GH will look like this:
body: '{"repositories":["foo"," bar"]}',
I think trimming the repos, something like repos = repos.map(r => r.trim())
, would catch this and make for a more intuitive API
Looks like Undici added native proxy support, so we may be able to remove the custom proxy support we added in #102.
create-github-app-token/lib/request.js
Lines 15 to 16 in 3cef845
Originally posted by @parkerbxyz in #132 (comment)
Hello,
The action returns additional outputs thanks to #105, but it would be great to return also the GitHub App user id, which we can fetch using the GH CLI for instance with gh api "/users/<app-slug>[bot]" --jq .id
.
The rationale is that to get the commit authenticated properly, we have to use the user id and not the installation id (as also mentioned in this discussion. This was discussed in the mentioned PR, but somehow only the installation id was added to the outputs.
This is currently how I implemented it:
- name: Generate GitHub App Token
id: generate-token
uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
with:
app-id: ${{ secrets.SEMANTIC_RELEASE_APP_ID }}
private-key: ${{ secrets.SEMANTIC_RELEASE_PRIVATE_KEY }}
- name: GitHub Release
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
GIT_AUTHOR_NAME: ${{ steps.generate-token.outputs.app-slug }}[bot]
GIT_AUTHOR_EMAIL: ${{ steps.generate-token.outputs.installation-id }}+${{ steps.generate-token.outputs.app-slug }}[bot]@users.noreply.github.com
GIT_COMMITTER_NAME: ${{ steps.generate-token.outputs.app-slug }}[bot]
GIT_COMMITTER_EMAIL: ${{ steps.generate-token.outputs.installation-id }}+${{ steps.generate-token.outputs.app-slug }}[bot]@users.noreply.github.com
run: npx semantic-release
Which leads to commits not properly associated with the GitHub App. So we would need to use the user-id
instead of the installation-id
in the email
I have been trying to enable a Github Workflow that should be able to create a new repo at orgA, using a template repo from orgB, I don't believe there is a chance to support this since the GitHub Apps tokens are scoped to an individual account or a specific org afaik, but it could be pretty useful to have a way to support this using GitHub Apps.
These are the steps, I'm trying to use:
- name: Generate a token
id: generate-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.ZCLOUD_BOT_APP_ID }}
private-key: ${{ secrets.ZCLOUD_BOT_APP_PRIVATE_KEY }}
owner: ${{ github.event.inputs.repo-org }}
- name: Create the new repo
id: create-repo
env:
GITHUB_TOKEN: ${{ steps.generate-token-template.outputs.token }}
run: |
gh repo create ${{ github.event.inputs.repo-org }}/${{ github.event.inputs.repo-name }} \
--internal \
--template ${{ github.repository }}
This is similar to Issue 45, but I can't use the matrix approach since permission to both orgs is required between the same command exec.
From @gr2m in #54 (comment):
I think we should use dashes for our arguments, it seems to be the convention for
actions/*
actions, e.g. see https://github.com/actions/checkout/
Notably, changing the input names affects the translated environment variable names1:
my_var
is translated to INPUTS_MY_VAR
.my-var
is translated to INPUTS_MY-VAR
.So, we may want a plan for backwards-compatibility, or we may want to ship this in a major version bump.
The use cases we want to cover is
Our API idea is
- uses: actions/create-github-app-token@v1
id: app-token
with:
app_id: ${{ vars.APP_ID }}
private_key: ${{ secrets.PRIVATE_KEY }}
owner: some-owner
repositories: some-repo1,some-repo2
Both owner
and repositories
would be optional, and one can be set to the other. owner
defaults to the current repository owner, and repositories defaults to the current repository name.
There is no guidance on the minimum required permissions when creating the new GitHub App in step 1 of using this Action. Could that be clarified somewhere?
Thank you for making a great Action! We've been relying on third-party actions or raw github-script for a long time, so it's great to see the official solution finally!
One request I'd like to make is to support retrieving organization-scoped installation token. One of the example use-cases is to automate the GitHub Project (V2), as illustrated in the GitHub's official documentation (which currently uses tibdex/github-app-token
):
GitHub Project (V2) is a resource tied to organizations, so repository-scope access should be essentially unnecessary for the App.
My company is going to be installing this action once per organization in order to get submodules to work. I would really like to be able to point them to https://github.com/actions/create-github-app-token for the documentation, but step 1 is not very clear and I am worried that people will get confused about what permissions to request.
I am wondering, can you expand upon step 1 which says:
Option 1 would be to list which settings we are supposed to check and uncheck, as well as which permissions we should be requesting.
Option 2 would be to follow the example of GitHub ARC in https://github.com/actions/actions-runner-controller/blob/master/docs/authenticating-to-the-github-api.md which actually provides two useful links that prepopulate various settings:
Using GitHub ARC, it was really cool to be able to click one link and have it prepopulate the settings that it thinks I'll need.
Follow up to #71.
We introduced a simple request retry logic via #79. There are a few ways we could improve the implementation
retry-after
and x-ratelimit-reset
headers, compare https://github.com/octokit/plugin-throttling.jsThis action has multiple tagged versions, but dist/
has never been updated, so all of the versions are identical.
The action template repos have a workflow to detect this situation: https://github.com/actions/javascript-action/blob/main/.github/workflows/check-dist.yml
I'm looking to migrate to this action from peter-murray/workflow-application-token-action (currently waiting on #111 for feature parity) and I found the documentation for the owner
input confusing:
create-github-app-token/action.yml
Lines 22 to 24 in f2acddf
To me, the documentation implies that this should be the owner of the GitHub app itself, whereas if you trace through the code it's actually the owner for which the GitHub app is installed (i.e. the place you want to give the app access to).
create-github-app-token/lib/main.js
Lines 112 to 129 in f2acddf
we considered using pull_request_target
in order to give access to repository secrets, but decided against it. See #17 (comment) for more context.
We want to continue running the end-to-end tests as we have them anyway, but we want to add integration tests with mocked requests which won't require credentials and can also be run locally with npm test
We use Node's built-in fetch
. Here are some relevant guides for testing/mocking
It would be great to have an explicit possibility to revoke GH_TOKEN in a separate step/job.
Example workflow:
---
on:
push:
branches:
- main
jobs:
get_token:
name: GitHub Token
runs-on: ubuntu-latest
outputs:
github_token: ${{ steps.get_workflow_token.outputs.token }}
# NEW as an example:
github_token_id: ${{ steps.get_workflow_token.outputs.token_id }}
steps:
- name: Get Token
id: get_workflow_token
uses: actions/[email protected]
with:
application_id: ${{ vars.TEST_APP_ID }}
application_private_key: ${{ secrets.TEST_APP_PRIV_KEY }}
revoke_token: false
terraform:
name: Terraform
needs: get_token
runs-on: ubuntu-latest
env:
GITHUB_TOKEN: ${{ needs.get_token.outputs.github_token }}
steps:
- name: Checkout the repository to the runner
uses: actions/checkout@v4
(...)
- name: Terraform plan
id: plan
run: terraform plan -no-color -input=false
# NEW as an example:
revoke_token:
name: Revoke GitHub Token
needs:
- get_token
- terraform
runs-on: ubuntu-latest
steps:
- name: Revoke Token
id: revoke_workflow_token
uses: actions/[email protected]
with:
github_token_to_revoke: ${{ needs.get_token.outputs.github_token_id }}
revoke_token: true
Output tokens cannot be used across jobs. This causes jobs that depend on said token to fail.
- Unless the
skip-token-revoke
input is set to a truthy value, the token is revoked in the post step of the action, which means it cannot be passed to another job.
Using skip-token-revoke
does not allow a token to be used across jobs, which is what this wording seems to imply.
action: 'revoke'
)Action summary screenshot
Hi All,
I am setting up a github bot for use with github actions, but it cannot access the repos API endpoint.
Here are the permissions that the bot is set to (way too permissive, I know, but I am just testing).
Here is my test action workflow
name: "test_gh_api"
on:
workflow_dispatch:
push:
permissions:
id-token: write
contents: write
pull-requests: write
packages: write
actions: write
checks: write
jobs:
call_api:
name: "Call GH API"
runs-on: ubuntu-latest
steps:
- name: Generate GedBot token
id: generate_token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.GEDBOT_APP_ID }}
private-key: ${{ secrets.GEDBOT_PRIVATE_KEY }}
- name: Checkout the code
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ steps.generate_token.outputs.token }}
- name: Test GH API
env:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
run: |
echo "Running curl"
curl --request GET \
--header "Accept: application/vnd.github+json" \
--header "Authorization: Bearer GITHUB_TOKEN" \
--header "X-GitHub-Api-Version: 2022-11-28" \
--url "https://api.github.com/repos/geddesfamily/estate-config"
echo "Running GH CLI"
gh api repos/geddesfamily/estate-config
gh api repos/geddesfamily/estate-config/branches
I can confirm that geddesfamily/estate-config
does exist.
This returns
Run echo "Running curl"
Running curl
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
{
100 90 100 90 0 0 1437 0 --:--:-- --:--:-- --:--:-- 1451
"message": "Bad credentials",
"documentation_url": "https://docs.github.com/rest"
}
Running GH CLI
gh: Not Found (HTTP 404)
{"message":"Not Found","documentation_url":"https://docs.github.com/rest/repos/repos#get-a-repository"}
Error: Process completed with exit code 1.
I feel like this covers all bases to mitigate the risk of the problem being cause by my idiocy, however it is always a possibility!
Is this a bug in the token gen step?
follow up to #40 (comment)
wrong repo 😓
Hi, I get this error when running the action:
Run actions/create-github-app-token@v1
with:
app-id: ***
private-key: ***
github-api-url: https://api.github.com/
owner and repositories not set, creating token for the current repository ("fusion-imu")
Failed to create token for "fusion-imu" (attempt 1): A JSON web token could not be decoded - https://docs.github.com/rest
Failed to create token for "fusion-imu" (attempt 2): A JSON web token could not be decoded - https://docs.github.com/rest
Failed to create token for "fusion-imu" (attempt 3): A JSON web token could not be decoded - https://docs.github.com/rest
Failed to create token for "fusion-imu" (attempt 4): A JSON web token could not be decoded - https://docs.github.com/rest
RequestError [HttpError]: A JSON web token could not be decoded - https://docs.github.com/rest
at /home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:37050:21
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async hook4 (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39454:18)
at async getTokenFromRepository (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39768:20)
at async RetryOperation._fn (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39645:24) {
status: 401,
request: {
method: 'GET',
url: 'https://api.github.com/repos/avsaase/fusion-imu/installation',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'actions/create-github-app-token',
authorization: 'bearer [REDACTED]'
},
request: { hook: [Function: bound hook4] AsyncFunction }
Error: A JSON web token could not be decoded - https://docs.github.com/rest
},
response: {
url: 'https://api.github.com/repos/avsaase/fusion-imu/installation',
status: 401,
headers: {
'access-control-allow-origin': '*',
'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
'content-length': '117',
'content-security-policy': "default-src 'none'",
'content-type': 'application/json; charset=utf-8',
date: 'Wed, 03 Jul 2024 22:33:58 GMT',
'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
server: 'github.com',
'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
vary: 'Accept-Encoding, Accept, X-Requested-With',
'x-content-type-options': 'nosniff',
'x-frame-options': 'deny',
'x-github-media-type': 'github.v3; format=json',
'x-github-request-id': 'E906:311D5D:2A7971:4ADA68:6685D1D2',
'x-xss-protection': '0'
},
data: {
message: 'A JSON web token could not be decoded',
documentation_url: 'https://docs.github.com/rest',
status: '401'
}
},
attemptNumber: 4,
retriesLeft: 0
}
In my workflow file I have
- name: Generate GitHub token
uses: actions/create-github-app-token@v1
id: generate-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
The corresponding app id and private key are set as secrets in my repository. The private key is copy-pasted directly from the .pem
file that downloads when creating a private key.
Did I do something wrong or is this a bug? Thanks.
Hi,
I'm trying to restore nuget packages from a private repo in the same company.
I created the Github app with these permissions to allow reading on Packages
in my API solution, I configured the yml worklow using you action to generate a token:
- uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
# optional: owner not needed IF the app has access to the repo running the workflow
# if you get 'RequestError [HttpError]: Not Found 404', pass in owner
#repositories: ${{ github.event.repository.name }}
then I update the current nuget source:
# Set SK nuget source Credentials #NUGET_AUTH_TOKEN: ${{ secrets.AZURE_DEVOPS_PAT }}
- name: Restore .NET project Dependencies
run: dotnet nuget update source SKDotNetPackages --source "https://nuget.pkg.github.com/SK/index.json" --username "SK-API" --password ${{ steps.app-token.outputs.token }} --store-password-in-clear-text
note that SK-API is the name of the current API Repo
And restore the packages in my API Solution
# Restore .NET project Dependencies
- name: Restore .NET project Dependencies
run: find . -name '*.csproj' -exec dotnet restore {} \;
Which generates the error:
warning Undefined: Your request could not be authenticated by the GitHub Packages service. Please ensure your access token is valid and has the appropriate scopes configured.
Do you know what I missed in the configuration?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.