GitHub Action that will get a scoped short lived token for Actions workflows using a GitHub Application.

License: MIT License

JavaScript 100.00%

workflow-application-token-action's Introduction

workflow-application-token-action

This is a GitHub Action that can be used to get scoped limited access, expiring credentials for use inside GitHub Actions Workflows.

Why would you want to do this? Well the GITHUB_TOKEN whilst having an expiry, has some protections around creating events that prevent downstream GitHub Actions workflow from triggering. This prevents recursive loops from workflows, but there are a number of valid types of workflows that may require or desire triggering downstream GitHub Actions Workflows.

The existing way to work around this today is to use a Personal Access Token, but these tokens are tied to a user and generally are over priviledged for the tasks at hand, increasing the risk if they get exposed and are not time limited like the GITHUB_TOKEN.

This is where a GitHub Application access token can really help out. The benefits of GitHub Applications is that you can restrict/scope the access of the token considerably more than what can be achieved using a Personal Access Token. The access token from the GitHub Application is also time limited, expiring after an hour from being issued, providing some more protection against any leaking of credentials from a Workflow.

Usage

To use this action you first need a GitHub Application created so that you can request temporary credentials on behalf of the application inside your workflows.

Requirements:

A new or existing GitHub Application with the access scopes required
A private key for the GitHub Application
The GitHub Application installed on the repository that the GitHub Actions Workflow will execute from

Creating a GitHub Application

You will need to have a GitHub Application that is scoped with the necessary permissions for the token that you want to retrieve at runtime.

To create a GitHub Application you can follow the steps available at https://docs.github.com/en/developers/apps/creating-a-github-app

The important configuration details for the application are:

GitHub App name a human readable application name that is unique within GitHub.com
Description some details about your application and what you intend to use it for
Homepage URL needs to be set to something as long as it is a URL
Expire user authorization tokens should be checked so as to expire any tokens that are issued
Webhook Active checkbox should be unchecked
Repository permissions, Organization permissions and/or User permissions should be set to allow the access required for the token that will be issued
Where can this GitHub App be installed? should be scoped to your desired audience (the current account, or any account)

Once the application has been created you will be taken to the General settings page for the new application. The GitHub Application will be issued an App ID which you can see in the About section, take note of this for later use in the Actions workflow.

On the General settings page for the application, at the bottom there is a Private keys section that you can use to generate a private key that can be utilized to authenticate as the application. Generate a new private key and store the information for later use.

Note: the private keys can and should be rotated periodically to limit the risks of them being exposed in use.

Install the GitHub Application

Once you have the GitHub Application defined, you will need to install the application on the target organization or repository/ repositories that you want it to have access to. These will be any repositories that you want to gather information from or want the application to modify as per the scopes that were defined when the application was installed.

Note: The GitHub Application will need to be installed on the organization and or repository that you are executing the GitHub Actions workflow from, as the implementation requires this to be able to generate the access tokens.

Using the GitHub Action in a Workflow

To use the action in a workflow, it is recommended that you store the GitHub Application Private key in GitHub Secrets. This can be done at a repository or organization level (provided that the actions workflow has access to the secret).

When storing the Private key, you can store the raw PEM encoded certificate contents that the GitHub Application generates for you or Base64 encode it in the secret.

Parameters

application_id: The GitHub Application ID that you wil be getting the access token for
application_private_key: A private key generated for the GitHub Application so that you can authenticate (PEM format or base64 encoded)
permissions: The optional limited permissions to request, specifying this allows you to request a subset of the permissions for the underlying GitHub Application. Defaults to all permissions available to the GitHub Application when not specified. Must be provided in a comma separated list of token permissions e.g. issues:read, secrets:write, packages:read
organization: An optional organization name if the GitHub Application is installed at the Organization level (instead of the repository).
github_api_base_url: An optional URL to the GitHub API, this will be read and loaded from the runner environment by default, but you might be bridging access to a secondary GHES instance or from GHES to GHEC, you can utilize this to make sure the Octokit library is talking to the right GitHub instance.
https_proxy: An optional proxy to use for connecting with the GitHub instance. If the runner has HTTP_PROXY or HTTPS_PROXY specified as environment variables it will attempt to use those if this parameter is not specified.
revoke_token: An optional boolean true or false value to revoke the access token as part of the post job steps in the actions workflow. To preserve backwards compatibility on this action, it defaults to false.

Examples

Get a token with all the permissions of the GitHub Application:

jobs:
  get-temp-token:
    runs-on: ubuntu-latest

    steps:
      - name: Get Token
        id: get_workflow_token
        uses: peter-murray/workflow-application-token-action@v3
        with:
          application_id: ${{ secrets.APPLICATION_ID }}
          application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}

      - name: Use Application Token to create a release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
        with:
          ....

Get a token with a limited subset of the permissions of the Github Application, in this case just the actions:write permission:

jobs:
  get-temp-token:
    runs-on: ubuntu-latest

    steps:
      - name: Get Token
        id: get_workflow_token
        uses: peter-murray/workflow-application-token-action@v3
        with:
          application_id: ${{ secrets.APPLICATION_ID }}
          application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
          permissions: "actions:write"

      - name: Use Application Token to create a release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
        with:
          ....

Get a token with all the permissions of the Github Application that is installed on an organization:

jobs:
  get-temp-token:
    runs-on: ubuntu-latest

    steps:
      - name: Get Token
        id: get_workflow_token
        uses: peter-murray/workflow-application-token-action@v3
        with:
          application_id: ${{ secrets.APPLICATION_ID }}
          application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
          organization: octodemo

      - name: Use Application Token to create a release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
        with:
          ....

Proxy

You can specify a proxy server directory using the https_proxy parameter in your with settings, or by falling back to using any environment variables used to provide a proxy reference; HTTP_PROXY or HTTPS_PROXY (or lowercase variants e.g. http_proxy). If defined, the request will use the proxy to route the connection to the GitHub instance.

jobs:
  get-temp-token:
    runs-on: ubuntu-latest

    steps:
      - name: Get Token
        id: get_workflow_token
        uses: peter-murray/workflow-application-token-action@v3
        with:
          application_id: ${{ secrets.APPLICATION_ID }}
          application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
          organization: octodemo
          https_proxy: http://my-squid-proxy:3128
          ....

In version 2.1.0 of this action support has been added for no_proxy environment variables that might be present in the workflows or actions runner.

If the https_proxy input variable is specified for the action, then any no_proxy setting will be ignored as the proxy in this case has been explicitly set and this action views that as being entirely intentional.

If on the other hand the proxy server is being detected using environment variables, http_proxy, HTTP_PROXY, https_proxy, HTTPS_PROXY and no_proxy is present then it will be parsed for hostname matches as to whether or not to use the proxy when access the GitHub API.

The format that is supported for no_proxy environment variable is a comma separated list of host names, e.g. api.github.com,www.google.com of when to not use the proxy server.

Access Token revocation

To provide additional options for security around the access token and waiting on it to expire, you can leverage the revoke_token input set to true so that at the end of the job run, a post actions step will revoke the access token, invalidating it so that is is immediately invalid and cannot be used.

References

https://docs.github.com/en/developers/apps/authenticating-with-github-apps#authenticating-as-an-installation

workflow-application-token-action's People

Contributors

Stargazers

Watchers

workflow-application-token-action's Issues

Add a License

Please. Cheers and thanks.

add retry parameter?

[Failed to initialize GitHub Application connection using provided id and private key]
This happens sometimes. I don't know if this is due to some sort of github api latency issue.
I rerun my workflow and it disappeared.
Is it possible to add a retry parameter?

Can we run this action against a different GHES server?

Hi, I would like to run this action against a different GHES server to get an access token from it by using the GitHub Application.

Is that possible?

I tried by overwriting the GITHUB_API_URL but I do not see that being picked up.

      - uses: peter-murray/[email protected]
        name: Get acces token from App on ACC
        id: get_workflow_token
        env:
          GITHUB_API_URL: https://gh-server.com/api/v3
        with:
          application_id: ${{ env.GH_AUTOMATION_ID_ACC }}
          application_private_key: ${{ secrets.GH_AUTOMATION_PRIVATE_KEY_ACC }}
          organization: my-org

CC @peter-murray

Security Vulnerabilities Detected

Within the Enterprise that I work, we follow a process for approving marketplace GitHub actions.

The review process includes scanning the source code (using GitHub Advanced Security with the security-extended suite) for vulnerabilities and when we did so yesterday (05/02/2024) there were TWO (2) HIGH severity vulnerabilities reported. Our internal policy does not allow approval for actions where High (or higher) severity vulnerabilities are present.

Could you please resolve the the vulnerabilities and issue a new release ?

Version Reviewed: Latest source code (cloned repository)

Reproduce by: Executing a GitHub Advanced Security scan using the security-extended suite

INC - application_private_key

Good evening,

First of all thank you for your tool, I'm a big fan of it!
I am using Terraform for configuration purposes for an organization. When using Terraform to create GitHub Secrets Actions.

Key creation scheme :

Follow the tutorial on README.md
Transforming the PEM key into Base64 for Terraform
Terraform uses the Crypto tool
The key is created on GitHub correctly

When I try to use it through your workflow in this way :

- name: Get token
        id: get_token
        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
        with:
          application_id: ${{ secrets.ID_AUTOSYNCBOT }}
          application_private_key: ${{ secrets.PEM_AUTOSYNCBOT }}

I find myself facing this error when using it:

$ Run peter-murray/workflow-application-token-action@8e1ba3bf1619726336[4](https://github.com/wr-projects/first-contributions/actions/runs/3634830314/jobs/6145186475#step:5:5)14f1014e37f17fbadf1db
Error: Error: Input required and not supplied: application_private_key
Error: Failed to initialize GitHub Application connection using provided id and private key

Maybe I'm going the wrong way, or maybe the Crypto module provided by Terraform is simply not recognized by your workflow?

Best regards,

Respect `no_proxy` settings next to the proxy settings.

With #21 there is now support for proxy settings, which do not adhere to the no_proxy settings, breaking in our setup where we set both http_proxy and no_proxy.

Feature suggestion: Log the x-github-request-id header in the action

Would be nice if there was someway of logging the x-github-request-id header.

It would be helpful to have this in cases where the attempt to get a token from app/installations/<installation_id>/access_tokens fails with a "Network Error" where it fails to reach api.github.com for some reason versus any case when GitHub.com is responding with an error.

Create releases

It seems that no new releases were created for the action for a few months now even though there have been code changes.

Please create releases when changes have been made so users can be notified.

application_private_key not found

Even though I have application_private_key pointing to a secret in my github action code, it can't be found by this action runs.

I thought I fixed this when I saw my tests run successfully after adding the org attribute, but I have come back from holiday and it isn't working again.

#26

I know the secret exists because when I use peter-murray/workflow-application-token-action@v1
everything is fine.

I'm trying to figure out what the difference was between v1 and v2

Add option to set token expiration timeout

Hi,

Currently the token expires after 60mins. Can an option be added to allow a customizable timeout.

The use case is that I use this action to login to AWS, and AWS will store a terraform statefile on S3.

I terraform my infrastructure - in this case an Azure APIM which takes ~45mins to complete - the entire terraform workflow takes over 60mins.

By the time the workflow is complete, the token has expired and the statefile cannot be saved.

It isn't possible to alter the flow of the workflow, as terraform itself needs to access the S3 at the start and end of its "apply" stage, so the workflow is just:

AWS login
terraform apply

Thanks.

Create a release for v1.4.0

The marketplace only shows release and not all tags:

I was searching for the version that supports the github_api_base_url parameter, which is v1.4.0 and it is not in the releases list, making it harder to find.

Option to specify installation ID instead of installing app into calling repo

The npm script github-app-installation-token (NPMJS), takes a installation ID for the target repo with the workflow that is to be triggered, so the GitHub Application only has to be installed in the repo that has the workflow that is to be triggered. Could workflow-application-token-action be enhanced with this feature, so one doesn't also have to install the app into the repo that triggers the workflow?

I managed to get everything working when I tested it from the command line with that script, so it was a little bit of a d'oh when I setup another repo with a workflow that ran workflow-application-token-action and that failed.

Add configurable Timeout

This is my new favourite github action, thank you for creating this!

Currently, the action defaults to a 60 second timeout, however, I can see the githubApplication.create method has already been written to accept a timeout.

Would you be open to a PR making timeout an optional parameter that can be passed to the action?

Pass GH app token from one job to another

Trying to generate the GH app token in one job, and using it in another via a output variable, GH will skip assignment due to it being registered as a secret. Is there any option to not mask the token or another work around to pass the token from one job to another? Found this, but a lot of boilerplate code -> https://nitratine.net/blog/post/how-to-pass-secrets-between-runners-in-github-actions/

Intermittent 401s when obtaining token

We're seeing intermittent 401 status code responses when tryin to obtain a token:

Run peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
  with:
    application_id: ***
    application_private_key: ***
    permissions: contents:read
Error: Error: Failed to connect as application; status code: 401
'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued
Error: Failed to initialize GitHub Application connection using provided id and private key

Runner details:

Image: macos-13-arm64
  Version: 20231017.1
  Included Software: https://github.com/actions/runner-images/blob/macos-13-arm64/2023[10](https://github.com/Betterment/mobile/actions/runs/6620528616/job/18002684063#step:1:11)17.1/images/macos/macos-13-arm64-Readme.md
  Image Release: https://github.com/actions/runner-images/releases/tag/macos-13-arm64%2F20231017.1

Any idea what might be going on?

GitHub is depracating "setOutput" command

GitHub is deprecating the "setOutput" command in favour of env files.

This means that this action will likely break on May 1st, 2023 if it isn't updated 😿

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

peter-murray / workflow-application-token-action Goto Github PK