ci: use private key to get pat token for bot

NanderTGA · Jan 29, 2024 · 537fe63 · 537fe63
1 parent 3cdfc30
commit 537fe63
Show file tree

Hide file tree

Showing 4 changed files with 219 additions and 1 deletion.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -65,12 +65,17 @@ jobs:
 
       - name: Setup repository
         uses: ./.github/actions/setup-repository
+
+      - name: Request PAT from private key
+        id: requestPAT
+        run: |
+          node privateKeyToPAT.js ${{ secrets.RELEASE_BOT_KEY_BASE64 }} >> $GITHUB_OUTPUT
 
       - name: Create and publish a new release
         run: npx semantic-release
         env:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN_MSGROOM }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.requestPAT.outputs.PAT }}
 
       - name: Generate a tarball from the build results
         run: npm pack

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -130,6 +130,7 @@
     "@types/jest": "^29.5.5",
     "eslint": "^8.49.0",
     "jest": "^29.7.0",
+    "jsonwebtoken": "^9.0.2",
     "memfs": "^4.6.0",
     "rimraf": "^5.0.1",
     "semantic-release": "^23.0.0",

diff --git a/privateKeyToPAT.js b/privateKeyToPAT.js
@@ -0,0 +1,39 @@
+import jwt from "jsonwebtoken";
+
+// Usage: node privateKeyToPAT.js <base 64 encoded contents of the private key.pem file>
+const privateKeyBase64 = process.argv[2];
+const appId = "809549";
+const installationId = "46654931";
+
+// Step 1: Generate a JWT
+const privateKey = Buffer.from(privateKeyBase64, "base64").toString();
+const payload = {
+    iat: Math.floor(Date.now() / 1000),
+    exp: Math.floor(Date.now() / 1000) + 600, // 10 minutes
+    iss: appId,
+};
+const token = jwt.sign(payload, privateKey, { algorithm: "RS256" });
+
+// Step 2: Exchange JWT for an Access Token (PAT)
+const githubApiUrl = `https://api.github.com/app/installations/${installationId}/access_tokens`;
+
+fetch(githubApiUrl, {
+    method : "POST",
+    headers: {
+        Authorization: `Bearer ${token}`,
+        Accept       : "application/vnd.github.v3+json",
+    },
+})
+    .then(response => {
+        if (!response.ok) {
+            throw new Error(`Failed to retrieve access token: ${response.status} ${response.statusText}`);
+        }
+        return response.json();
+    })
+    .then(data => {
+        console.log(`PAT=${data.token}`);
+    })
+    .catch(error => {
+        console.error("Error:", error);
+        process.exit(1);
+    });