-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgenerate-app-token.py
executable file
·65 lines (53 loc) · 1.79 KB
/
generate-app-token.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/usr/bin/env python3
import os
import time
import jwt
import requests
#####
# This script generates an app token for a repository
#
# https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation
#####
def get_env(name):
value = os.environ.get(name)
if not value:
raise RuntimeError(f"{name} is not set or empty")
return value
repository = get_env("REPOSITORY")
app_id = get_env("APP_ID")
app_private_key = get_env("APP_PRIVATE_KEY")
# First, we need to make a JWT for the app
iat = int(time.time())
payload = { "iat": iat, "exp": iat + 600, "iss": app_id }
encoded_jwt = jwt.encode(payload, app_private_key, algorithm = "RS256")
# Use the JWT to get the access token URL for the repo installation
response = requests.get(
f"https://api.github.com/repos/{repository}/installation",
headers = {
"Accept": "application/vnd.github+json",
"Authorization": f"Bearer {encoded_jwt}",
}
)
response.raise_for_status()
access_token_url = response.json()["access_tokens_url"]
# Use the installation ID to get an access token for the repo
response = requests.post(
access_token_url,
headers = {
"Accept": "application/vnd.github+json",
"Authorization": f"Bearer {encoded_jwt}",
},
json = {
"repositories": [
# Because the installation is associated with an org or user,
# we only need to specify the name part of the repo here
repository.split("/", maxsplit = 1)[-1],
],
}
)
response.raise_for_status()
token = response.json()["token"]
# Output the token so it can be consumed by later steps
output_path = os.environ.get("GITHUB_OUTPUT", "/dev/stdout")
with open(output_path, "a") as fh:
print(f"token={token}", file = fh)