chili-publish · sebastianpujina · Aug 7, 2024 · Jul 29, 2024 · Aug 5, 2024 · Aug 5, 2024
@@ -0,0 +1,28 @@
+name: get-gh-app-installation-access-token
+description: Action to get a GitHub application installation access token
+
+inputs:
+    gh-app-jwt:
+        description: GitHub application JWT
+        required: true
+    gh-app-installation-id:
+        description: GitHub application installation ID
+        required: true
+
+outputs:
+    gh-app-installation-access-token:
+        description: GitHub application installation access token
+        value: ${{ steps.get-gh-app-installation-access-token.outputs.token }}
+
+runs:
+    using: composite
+    steps:
+        - name: Get GitHub application installation access token
+          id: get-gh-app-installation-access-token
+          shell: pwsh
+          run: |
+              $Token = & '${{ github.action_path }}/get-gh-app-installation-access-token.ps1' `
+              -GH_App_JWT '${{ inputs.gh-app-jwt }}' `
+              -GH_App_Installation_ID '${{ inputs.gh-app-installation-id }}' `
+
+              "token=$Token" >> $env:GITHUB_OUTPUT
@@ -0,0 +1,28 @@
+param (
+    [Parameter(Mandatory = $True)]
+    [string]$GH_App_JWT,
+
+    [Parameter(Mandatory = $True)]
+    [string]$GH_App_Installation_ID
+)
+
+try {
+    $Header = @{
+        'Accept'        = 'application/vnd.github+json'
+        'Authorization' = "Bearer $GH_App_JWT"
+    }
+
+    # Token expires after 1 hour
+    # https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-github-apps#authenticating-as-an-installation
+    $AccessTokens = Invoke-RestMethod -Method POST -Uri https://api.github.com/app/installations/$GH_App_Installation_ID/access_tokens -Header $Header -ContentType 'application/json'
+
+    if ($? -eq $False) {
+        exit $LASTEXITCODE
+    }
+}
+catch {
+    Write-Error "Exception: $_"
+    exit -1
+}
+
+return $($AccessTokens.token)
@@ -0,0 +1,27 @@
+name: get-gh-app-jwt
+description: Action to get a GitHub application JWT
+
+inputs:
+    gh-app-private-key:
+        description: GitHub application private key
+        required: true
+    gh-app-id:
+        description: GitHub application ID
+        required: true
+
+outputs:
+    gh-app-jwt:
+        description: GitHub application JWT
+        value: ${{ steps.get-gh-app-jwt.outputs.jwt }}
+
+runs:
+    using: composite
+    steps:
+        - id: get-gh-app-jwt
+          shell: pwsh
+          run: |
+              $JWT = & '${{ github.action_path }}/get-gh-app-jwt.ps1' `
+              -GH_App_Private_Key '${{ inputs.gh-app-private-key }}' `
+              -GH_App_ID '${{ inputs.gh-app-id }}'
+
+              "jwt=$JWT" >> $env:GITHUB_OUTPUT
@@ -0,0 +1,53 @@
+param (
+    [Parameter(Mandatory = $True)]
+    [string]$GH_App_Private_Key,
+
+    [Parameter(Mandatory = $True)]
+    [string]$GH_App_ID,
+
+    # Max value is 600 seconds
+    # https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-github-apps#generating-a-json-web-token-jwt
+    [Parameter(Mandatory = $False)]
+    [int]$Expiration_Seconds = 60
+)
+
+try {
+    $DateTimeEpoch = New-Object System.DateTime(1970, 1, 1, 0, 0, 0, [System.DateTimeKind]::Utc)
+    $DateTimeNow = Get-Date
+
+    # Header object containing the algorithm (RS256) used for signing
+    $Header = @{
+        'alg' = 'RS256'
+    }
+
+    # Payload object containing the issued at time, expiration time, and issuer
+    $Payload = @{
+        'iat' = [int](($DateTimeNow.ToUniversalTime() - $DateTimeEpoch).TotalSeconds);
+        'exp' = [int](($DateTimeNow.ToUniversalTime() - $DateTimeEpoch).TotalSeconds) + $Expiration_Seconds;
+        'iss' = $GH_App_ID;
+    }
+
+    # Convert the header and payload to base64url format
+    $Header = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($(ConvertTo-Json $Header -Compress))).TrimEnd('=').Replace('+', '-').Replace('/', '_')
+    $Payload = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($(ConvertTo-Json $Payload -Compress))).TrimEnd('=').Replace('+', '-').Replace('/', '_')
+
+    # Combine the base64url header and payload with a period separator
+    $UnsignedJWT = "$Header.$Payload"
+
+    # Sign the JWT using RS256
+    $RSA = New-Object System.Security.Cryptography.RSACryptoServiceProvider
+    $RSA.ImportFromPem($GH_App_Private_Key)
+    $Signature = $RSA.SignData([System.Text.Encoding]::UTF8.GetBytes($UnsignedJWT), [System.Security.Cryptography.HashAlgorithmName]::SHA256, [System.Security.Cryptography.RSASignaturePadding]::Pkcs1)
+
+    # Convert the signature to a base64url string
+    $Signature = [System.Convert]::ToBase64String($Signature).TrimEnd('=').Replace('+', '-').Replace('/', '_')
+
+    # Combine the base64url header, payload, and signature with a period separator
+    $JWT = "$UnsignedJWT.$Signature"
+}
+catch {
+    Write-Error "Exception: $_"
+    exit -1
+}
+
+return $JWT
@@ -0,0 +1,38 @@
+name: Trigger the automated tests
+on:
+    pull_request:
+        types: [labeled]
+jobs:
+    trigger-automated-tests:
+        if: github.event.label.name == 'Ready for QA'
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v3
+            - name: Get GitHub application JWT
+              id: get-gh-app-jwt
+              uses: ./.github/actions/get-gh-app-jwt
+              with:
+                  gh-app-private-key: ${{ secrets.GH_APP_PRIVATE_KEY_CHILI_REPO_ACTIONS }}
+                  gh-app-id: ${{ vars.GH_APP_ID_CHILI_REPO_ACTIONS }}
+
+            - uses: actions/checkout@v3
+            - name: Get GitHub application installation access token
+              id: get-gh-app-installation-access-token
+              uses: ./.github/actions/get-gh-app-installation-access-token
+              with:
+                  gh-app-jwt: ${{ steps.get-gh-app-jwt.outputs.gh-app-jwt }}
+                  gh-app-installation-id: ${{ vars.GH_APP_INSTALL_ID_CHILI_REPO_ACTIONS }}
+
+            - name: Trigger the automated tests
+              uses: convictional/trigger-workflow-and-wait@v1.6.1
+              with:
+                  owner: chili-publish
+                  repo: editor-qa-framework
+                  github_token: ${{ steps.get-gh-app-installation-access-token.outputs.gh-app-installation-access-token }}
+                  workflow_file_name: parallel_run_trigger.yml
+                  ref: main
+                  wait_interval: 10
+                  propagate_failure: true
+                  trigger_workflow: true
+                  wait_workflow: true
+                  client_payload: '{"PR_NUMBER": "pr_builds/${{ github.event.number }}", "SETTAG": "SDK"}'