Skip to content

elastic/actions-app-token

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits

.github/workflows

.github/workflows

 
 

.whitesource

.whitesource

 
 

README.md

README.md

 
 

action.yml

action.yml

 
 

entrypoint.sh

entrypoint.sh

 
 

prebuild.Dockerfile

prebuild.Dockerfile

 
 

token_getter.py

token_getter.py

 
 

Repository files navigation

Actions Status

Impersonate Your GitHub App In A GitHub Action

This action helps you retrieve an authenticated app token with a GitHub app id and a app private key. You can use this key inside an actions workflow instead of GITHUB_TOKEN, in cases where the GITHUB_TOKEN has restricted rights.

Why Would You Do This?

Actions have certain limitations. Many of these limitations are for security and stability reasons, however not all of them are. Some examples where you might want to impersonate a GitHub App temporarily in your workflow:

  • You want an event to trigger a workflow on a specific ref or branch in a way that is not natively supported by Actions. For example, a pull request comment fires the issue_comment event which is sent to the default branch and not the PR's branch. You can temporarily impersonate a GitHub App to make an event, such as a label a pull_request to trigger a workflow on the right branch. This takes advantage of the fact that Actions cannot create events that trigger workflows, however other Apps can.

Usage

  1. If you do not already own a GitHub App you want to impersonate, create a new GitHub App with your desired permissions. If only creating a new app for the purposes of impersonation by Actions, you do not need to provide a Webhook URL or Webhook Secret

  2. Install the App on your repositories.

  3. See action.yml for the api spec.

Example:

steps:
- name: Get token
  id: get_token
  uses: elastic/actions-app-token@master
  with:
    APP_PEM: ${{ secrets.APP_PEM }}
    APP_ID: ${{ secrets.APP_ID }}

- name: Get App Installation Token
  run: |
    echo "This token is masked: ${TOKEN}"
  env: 
    TOKEN: ${{ steps.get_token.outputs.app_token }}

Note: The input APP_PEM needs to be base64 encoded. You can encode your private key file like this from the terminal:

cat your_app_key.pem | base64 -w 0 && echo

The base64 encoded string must be on a single line, so be sure to remove any linebreaks when creating APP_PEM in your project's GitHub secrets.

Mandatory Inputs

  • APP_PEM: description: string version of your PEM file used to authenticate as a GitHub App.

  • APP_ID: your GitHub App ID.

Outputs

License

The scripts and documentation in this project are released under the MIT License.

About

Impersonate a GitHub App Token inside Actions

github.com/marketplace/actions/get-an-app-token-in-an-actions-workflow

Resources

Readme

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

3 tags

Packages

No packages published

Languages

  • Python 94.5%
  • Dockerfile 4.2%
  • Shell 1.3%