Skip to content

Latest commit

 

History

History
79 lines (60 loc) · 3.17 KB

README.md

File metadata and controls

79 lines (60 loc) · 3.17 KB

actions-github-app-token

A GitHub Action that generates a GitHub App Installation Token.

Motivation

There are several ways to use tokens in GitHub Actions. However, they have some limitations.

The action provides the GitHub Token Vending API to manage token permissions.

Usage

Install the GitHub App

Create a new your own GitHub App, or install My Demonstration App.

Deploy the GitHub Token Vending API

Install the AWS SAM CLI, and deploy the API to your AWS Account.

cd provider/
sam build
sam deploy

Use the Action in Your Workflow

jobs:
  job:
    runs-on: ubuntu-latest
    # use GitHub Actions OIDC Token
    permissions:
      id-token: write
      contents: read

    steps:
      - id: generate
        uses: shogo82148/actions-github-app-token@v1
        # Optional (defaults to My Demonstration App).
        # with:
        #   provider-endpoint: https://EXAMPLE.execute-api.us-east-1.amazonaws.com/
      - run: |
          gh issue create --title "Do something using GITHUB_TOKEN"
        env:
          GITHUB_TOKEN: ${{ steps.generate.outputs.token }}

How It Works

How to Work

  1. Request a new credential with OIDC (OpenID Connect) Token.
    The shogo82148/actions-github-app-token action sends a temporary id token to the credential token vendor.
  2. The vendor signs the request using the long term credential.
    The long term credential doesn't leave AWS environment. It keeps the workflow safer.
  3. The vendor a new credential with JWT (JSON Web Token).
  4. GitHub returns a temporary credential.

Related Works