proactive-engineer/scripts/refresh-github-token.sh at a36d3d2cf095c3bb93aef79485c73199b37dd862 · refreshdotdev/proactive-engineer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/usr/bin/env bash
set -euo pipefail

# Generates a fresh GitHub installation token from GitHub App credentials.
# Requires: bash, openssl, curl
#
# Environment variables:
#   GITHUB_APP_ID              - GitHub App ID
#   GITHUB_APP_INSTALLATION_ID - Installation ID
#   GITHUB_APP_PEM_PATH        - Path to the .pem private key file
#
# Outputs the token (ghs_...) to stdout.
# Also configures global git author/committer identity for the bot.

: "${GITHUB_APP_ID:?Set GITHUB_APP_ID}"
: "${GITHUB_APP_INSTALLATION_ID:?Set GITHUB_APP_INSTALLATION_ID}"
: "${GITHUB_APP_PEM_PATH:?Set GITHUB_APP_PEM_PATH}"

[ -f "$GITHUB_APP_PEM_PATH" ] || { echo "Private key not found: $GITHUB_APP_PEM_PATH" >&2; exit 1; }

base64url() {
  openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'
}

now=$(date +%s)
iat=$((now - 60))
exp=$((now + 600))

header=$(echo -n '{"typ":"JWT","alg":"RS256"}' | base64url)
payload=$(echo -n "{\"iat\":${iat},\"exp\":${exp},\"iss\":\"${GITHUB_APP_ID}\"}" | base64url)

signature=$(
  openssl dgst -sha256 -sign "$GITHUB_APP_PEM_PATH" \
    <(echo -n "${header}.${payload}") | base64url
)

jwt="${header}.${payload}.${signature}"

response=$(curl -sf --request POST \
  --header "Authorization: Bearer $jwt" \
  --header "Accept: application/vnd.github+json" \
  --header "X-GitHub-Api-Version: 2022-11-28" \
  --url "https://api.github.com/app/installations/${GITHUB_APP_INSTALLATION_ID}/access_tokens")

token=$(echo "$response" | grep -o '"token"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"token"[[:space:]]*:[[:space:]]*"//' | sed 's/"//')

if [ -z "$token" ]; then
  echo "Failed to get installation token. Response:" >&2
  echo "$response" >&2
  exit 1
fi

AGENT_LABEL="Proactive Engineer"
if [ -n "${AGENT_NAME:-}" ] && [ "$AGENT_NAME" != "default" ]; then
  AGENT_LABEL="Proactive Engineer ($AGENT_NAME)"
fi

if command -v git >/dev/null 2>&1; then
  git config --global user.name "$AGENT_LABEL"
  git config --global user.email "proactive-engineer[bot]@users.noreply.github.com"
fi

echo "$token"