chg: switch back to local action test, remove input decode

* refactor get_jwt to use text input and encode at load time

Signed-off-by: Steve Arnold <[email protected]>

.github/workflows/test.yaml

@@ -15,39 +15,23 @@ jobs:
       # To use this repository's private action,
       # you must check out the repository
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Environment
         run: |
           bash -c set
 
-      #- name: Get token local action
-        #id: generate-token
-        #uses: ./ # Uses an action in the root directory
-        #with:
-          #APP_PEM: ${{ secrets.VCT_GHT_APP_PEM }}
-          #APP_ID: ${{ vars.VCT_GHT_APP_ID }}
-
-      - name: Generate GH token
-        id: generate-token
-        uses: actions/create-github-app-token@v1
+      - name: Get token local action
+        id: get_token
+        uses: ./  # Uses an action in the root directory
         with:
-          app-id: ${{ vars.VCT_GHT_APP_ID }}
-          private-key: ${{ secrets.VCT_GHT_APP_PEM }}
-          owner: ${{ github.repository_owner }}
-          # repositories: "actions-app-token"
+          APP_ID: ${{ vars.VCT_GHT_APP_ID }}
+          APP_PEM: ${{ secrets.VCT_GHT_APP_PEM }}
 
       - name: Check App Installation Token
         run: |
           echo "This token is masked: ${TOKEN}"
         env:
-          TOKEN: ${{ steps.generate-token.outputs.token }}
-
-      # the example 'gh' command is not there
-      #- name: Check the GH token
-        #env:
-          #GH_TOKEN: ${{ steps.generate-token.outputs.token }}
-        #run: |
-          #gh api actions-app-token
+          TOKEN: ${{ steps.get_token.outputs.app_token }}

README.md

@@ -1,4 +1,4 @@
-![Actions Status](https://github.com/machine-learning-apps/actions-app-token/workflows/Tests/badge.svg)
+![Actions Status](https://github.com/VCTLabs/actions-app-token/workflows/Tests/badge.svg)
 
 # Impersonate Your GitHub App In A GitHub Action
 
@@ -9,13 +9,13 @@ This action helps you retrieve an authenticated app token with a GitHub app id a
 
 Actions have certain limitations.  Many of these limitations are for security and stability reasons, however not all of them are.  Some examples where you might want to impersonate a GitHub App temporarily in your workflow:
 
-- You want an [event to trigger a workflow](https://help.github.com/en/articles/events-that-trigger-workflows) on a specific ref or branch in a way that is not natively supported by Actions.  For example, a pull request comment fires the [issue_comment event](https://help.github.com/en/articles/events-that-trigger-workflows#issue-comment-event-issue_comment) which is sent to the default branch and not the PR's branch.  You can temporarily impersonate a GitHub App to make an event, such as a [label a pull_request](https://help.github.com/en/articles/events-that-trigger-workflows#pull-request-event-pull_request) to trigger a workflow on the right branch. This takes advantage of the fact that Actions cannot create events that trigger workflows, however other Apps can. 
+- You want an [event to trigger a workflow](https://help.github.com/en/articles/events-that-trigger-workflows) on a specific ref or branch in a way that is not natively supported by Actions.  For example, a pull request comment fires the [issue_comment event](https://help.github.com/en/articles/events-that-trigger-workflows#issue-comment-event-issue_comment) which is sent to the default branch and not the PR's branch.  You can temporarily impersonate a GitHub App to make an event, such as a [label a pull_request](https://help.github.com/en/articles/events-that-trigger-workflows#pull-request-event-pull_request) to trigger a workflow on the right branch. This takes advantage of the fact that Actions cannot create events that trigger workflows, however other Apps can.
 
 # Usage
 
 1. If you do not already own a GitHub App you want to impersonate, [create a new GitHub App](https://developer.github.com/apps/building-github-apps/creating-a-github-app/) with your desired permissions.  If only creating a new app for the purposes of impersonation by Actions, you do not need to provide a `Webhook URL or Webhook Secret`
 
-2. Install the App on your repositories. 
+2. Install the App on your repositories.
 
 3. See [action.yml](action.yml) for the api spec.
 
@@ -33,7 +33,7 @@ steps:
 - name: Get App Installation Token
   run: |
     echo "This token is masked: ${TOKEN}"
-  env: 
+  env:
     TOKEN: ${{ steps.get_token.outputs.app_token }}
 ```
 
@@ -46,7 +46,7 @@ cat your_app_key.pem | base64 -w 0 && echo
 
 ## Mandatory Inputs
 
-- `APP_PEM`: description: string version of your PEM file used to authenticate as a GitHub App. 
+- `APP_PEM`: description: string version of your PEM file used to authenticate as a GitHub App.
 
 - `APP_ID`: your GitHub App ID.
 

entrypoint.sh

@@ -1,4 +1,5 @@
 #! /usr/bin/env bash
 
-echo $INPUT_APP_PEM | base64 -d > pem.txt
+#echo $INPUT_APP_PEM | base64 -d > pem.txt
+echo $INPUT_APP_PEM > pem.txt
 python token_getter.py

token_getter.py

@@ -2,6 +2,7 @@
 from github3 import GitHub
 from pathlib import Path
 from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
 import time
 import json
 import jwt
@@ -73,9 +74,12 @@ def get_jwt(self):
             "exp": now + (60),
             "iss": self.app_id
         }
-        with open(self.path, 'rb') as key_file:
-            private_key = serialization.load_pem_private_key(key_file.read(), None)
-            return jwt.encode(payload, private_key, algorithm='RS256')
+        private_key = Path(self.path).read_text()
+
+        private_key_loaded = serialization.load_pem_private_key(
+            data=private_key.encode(), password=None
+        )
+        return jwt.encode(payload=payload, key=private_key_loaded, algorithm="RS256")
 
     def get_installation_id(self):
         "https://developer.github.com/v3/apps/#find-repository-installation"