-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.js
124 lines (105 loc) · 3.64 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
const core = require('@actions/core');
const { createHash } = require('crypto');
const { DefaultAzureCredential, ClientAssertionCredential } = require('@azure/identity');
const {
CryptographyClient,
KeyClient,
KnownSignatureAlgorithms
} = require('@azure/keyvault-keys');
try {
let credential;
if (process.env.ARM_USE_OIDC == 'true' && process.env.ARM_TENANT_ID && process.env.ARM_CLIENT_ID && process.env.ARM_OIDC_TOKEN) {
const tenantID = process.env.ARM_TENANT_ID;
const clientID = process.env.ARM_CLIENT_ID;
const token = process.env.ARM_OIDC_TOKEN;
credential = new ClientAssertionCredential(tenantID, clientID, () => token);
} else {
credential = new DefaultAzureCredential();
}
const githubAppClientId = core.getInput('gh-app-client-id');
const keyVaultName = core.getInput('key-vault-name');
const keyName = core.getInput('key-name');
const ghOrg = core.getInput('gh-org');
let ghInstallationId = core.getInput('gh-installation-id');
const tokenDuration = parseInt(core.getInput('token-duration'), 10);
if (!ghInstallationId && !ghOrg) {
throw new Error('Either gh-installation-id or gh-org must be provided');
}
const now = Math.floor(Date.now() / 1000);
const nowWithSafetyMargin = now - 30;
const expiration = now + tokenDuration;
const jwtHeader = base64encodeJSON({
alg: 'RS256',
typ: 'JWT'
});
const jwtPayload = base64encodeJSON({
iss: githubAppClientId,
iat: nowWithSafetyMargin,
exp: expiration
});
const jwtData = `${jwtHeader}.${jwtPayload}`;
const jwtDataDigest = createHash('sha256').update(jwtData).digest();
const serviceClient = new KeyClient(
`https://${keyVaultName}.vault.azure.net`,
credential
);
serviceClient.getKey(keyName).then(async (keyVaultKey) => {
if (keyVaultKey?.name) {
const cryptoClient = new CryptographyClient(keyVaultKey, credential);
const { result: signature } = await cryptoClient.sign(KnownSignatureAlgorithms.RS256, jwtDataDigest);
const jwtSignature = urlBase64encode(signature);
const appToken = `${jwtData}.${jwtSignature}`;
const { Octokit } = await import("@octokit/core");
const octokit = new Octokit({
auth: appToken
});
let ghToken;
if (ghOrg) {
let orgInstallation = await octokit.request(`GET /orgs/${ghOrg}/installation`, {
org: ghOrg,
headers: {
'X-GitHub-Api-Version': '2022-11-28'
}
})
ghInstallationId = orgInstallation.data.id;
}
if (!ghInstallationId) {
throw new Error('Failed to get installation ID. Make sure you have provided correct gh-org or provide gh-installation-id.');
}
let installationToken = await octokit.request(`POST /app/installations/${ghInstallationId}/access_tokens`, {
installation_id: ghInstallationId,
headers: {
'X-GitHub-Api-Version': '2022-11-28'
}
})
ghToken = installationToken.data.token
core.setSecret(ghToken);
core.setOutput('gh_token', ghToken);
}
});
} catch (error) {
core.setFailed(error.message);
}
/**
* @param {string} base64
* @returns {string}
*/
function urlBase64(base64) {
return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
}
/**
* @param {Record<string,unknown>} obj
* @returns {string}
*/
function base64encodeJSON(obj) {
return urlBase64(btoa(JSON.stringify(obj)));
}
/**
* @param {string} buffer
* @returns {string}
*/
function urlBase64encode(buffer) {
// Convert the binary data (buffer) to a base64 string
const base64 = btoa(String.fromCharCode.apply(null, new Uint8Array(buffer)));
return urlBase64(base64);
}