kenoir · October 26, 2022 08:34
diff --git a/get_github_app_token.sh b/get_github_app_token.sh
 # MIT No Attribution

 # Copyright 2022 Nabil Abdel-Hafeez

 # Permission is hereby granted, free of charge, to any person obtaining a copy of this
 # software and associated documentation files (the "Software"), to deal in the Software
 # without restriction, including without limitation the rights to use, copy, modify,
 # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
 # permit persons to whom the Software is furnished to do so.

 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
 # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
 # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
 # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

 #!/usr/bin/env bash

 appId=$APP_ID
 secret=$APP_SECRET
 repo=$GH_REPO

 header='{ "typ": "JWT", "alg": "RS256" }'

 payload="{ \"iss\": \"$appId\" }"

 payload=$(
    echo "${payload}" | jq --arg time_str "$(date +%s)" \
    '
    ($time_str | tonumber) as $time_num
    | .iat=$time_num - 15
    | .exp=($time_num + 60 * 5)
    '
 )


 b64enc() { openssl enc -base64 -A | tr '+/' '-_' | tr -d '='; }
 json() { jq -c . | LC_CTYPE=C tr -d '\n'; }
 rs_sign() { openssl dgst -binary -sha256 -sign <(printf '%s\n' "$1"); }

 signed_content="$(json <<<"$header" | b64enc).$(json <<<"$payload" | b64enc)"
 sig=$(printf %s "$signed_content" | rs_sign "$secret" | b64enc)

 installation_id=$(jq .id <<< "$(curl --location -g -s \
 --request GET "https://api.github.com/repos/${repo}/installation" \
 --header 'Accept: application/vnd.github.machine-man-preview+json' \
 --header "Authorization: Bearer ${signed_content}.${sig}")")

 unscoped_token=$(jq .token -r <<< "$(curl --location -g -s \
 --request POST "https://api.github.com/app/installations/${installation_id}/access_tokens" \
 --header 'Accept: application/vnd.github.v3+json' \
 --header "Authorization: Bearer ${signed_content}.${sig}")")

 repo_id=$(jq .id <<< "$(curl -g -s \
 -H "Accept: application/vnd.github.v3+json" \
 --header "Authorization: token $unscoped_token" \
 "https://api.github.com/repos/$repo")")

 token=$(jq .token -r <<< "$(curl --location -g -s \
 --request POST "https://api.github.com/app/installations/${installation_id}/access_tokens" \
 --header 'Accept: application/vnd.github.v3+json' \
 --header "Authorization: Bearer ${signed_content}.${sig}" \
 -d "{\"repository_ids\":[$repo_id]}" )")

 echo "$token"
	# MIT No Attribution

	# Copyright 2022 Nabil Abdel-Hafeez

	# Permission is hereby granted, free of charge, to any person obtaining a copy of this
	# software and associated documentation files (the "Software"), to deal in the Software
	# without restriction, including without limitation the rights to use, copy, modify,
	# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
	# permit persons to whom the Software is furnished to do so.

	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
	# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
	# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
	# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
	# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
	# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

	#!/usr/bin/env bash

	appId=$APP_ID
	secret=$APP_SECRET
	repo=$GH_REPO

	header='{ "typ": "JWT", "alg": "RS256" }'

	payload="{ \"iss\": \"$appId\" }"

	payload=$(
	echo "${payload}" \| jq --arg time_str "$(date +%s)" \
	'
	($time_str \| tonumber) as $time_num
	\| .iat=$time_num - 15
	\| .exp=($time_num + 60 * 5)
	'
	)


	b64enc() { openssl enc -base64 -A \| tr '+/' '-_' \| tr -d '='; }
	json() { jq -c . \| LC_CTYPE=C tr -d '\n'; }
	rs_sign() { openssl dgst -binary -sha256 -sign <(printf '%s\n' "$1"); }

	signed_content="$(json <<<"$header" \| b64enc).$(json <<<"$payload" \| b64enc)"
	sig=$(printf %s "$signed_content" \| rs_sign "$secret" \| b64enc)

	installation_id=$(jq .id <<< "$(curl --location -g -s \
	--request GET "https://api.github.com/repos/${repo}/installation" \
	--header 'Accept: application/vnd.github.machine-man-preview+json' \
	--header "Authorization: Bearer ${signed_content}.${sig}")")

	unscoped_token=$(jq .token -r <<< "$(curl --location -g -s \
	--request POST "https://api.github.com/app/installations/${installation_id}/access_tokens" \
	--header 'Accept: application/vnd.github.v3+json' \
	--header "Authorization: Bearer ${signed_content}.${sig}")")

	repo_id=$(jq .id <<< "$(curl -g -s \
	-H "Accept: application/vnd.github.v3+json" \
	--header "Authorization: token $unscoped_token" \
	"https://api.github.com/repos/$repo")")

	token=$(jq .token -r <<< "$(curl --location -g -s \
	--request POST "https://api.github.com/app/installations/${installation_id}/access_tokens" \
	--header 'Accept: application/vnd.github.v3+json' \
	--header "Authorization: Bearer ${signed_content}.${sig}" \
	-d "{\"repository_ids\":[$repo_id]}" )")

	echo "$token"