tibdex/github-app-token

private_key only supports actions secrets?

hyperdash opened this issue · 4 comments

I appreciate such a handy Github Action!
I have something to ask.
Would it only work with a private_key stored as an actions secret?

I'm running my actions on a self-hosted runner and I'm trying to pass a raw private_key of my Github App, which is stored in the GCP's secret manager in JSON format with Github App ID and Github App Installation ID and retrieved from it in another step, to github-app-token as the step's output.

That causes this error.

2022-06-23T05:54:09.8957322Z ##[error]Error: error:0909006C:PEM routines:get_name:no start line

My workflow steps look like these.

    - name: Github App Private Key
      id: github_app
      run: |
        gcloud secrets versions access latest --project=my-gcp-project --secret=github-app > github-app
        cat github-app | jq -r .github_app_id | xargs -I {} echo "::set-output name=github_app_id::{}"
        cat github-app | jq -r .github_app_installation_id | xargs -I {} echo "::set-output name=github_app_installation_id::{}"
        cat github-app | jq -r .github_app_private_key > github_app_private_key
        echo "::set-output name=github_app_private_key::${github_app_private_key//$'\n'/\\n}"
    - name: Generate Github Token
      id: generate_github_token
      uses: tibdex/github-app-token@v1
      with:
        app_id: ${{ steps.github_app.outputs.github_app_id }}
        private_key: ${{ steps.github_app.outputs.github_app_private_key }}
        installation_id: ${{ steps.github_app.outputs.github_app_installation_id }}
        repository: myorg/myrepo

Are there any way to pass non-actions-secret private_key as a private_key, or am I doing something wrong in the steps?

Once I added my private_key into actions secrets, it worked with no error of course.

I think the parameter just takes a string and it doesn't where it comes from. It doesn't have to be from actions secrets. I think the problem you had was about extracting that secret and ensuring it has the right format.

I'm converting my RSA private key which is multi-lined into a single-lined one by replacing line breaks with \n. I might be doing something wrong in the process. The single-lined RSA private key looks like ----BEGIN RSA PRIVATE KEY-----\n... <key body> ...\n-----END RSA PRIVATE KEY-----. I expect it works being passed via set-output to private_key input but I only get the error.
I'm going to debug the differences in the private key string between set-output and actions secrets. Thanks.

I figured out that I had to encode my raw private key into base64 format

echo ${github_app} | jq -r .github_app_private_key | base64 -w 0 | xargs -I {} echo "::set-output name=github_app_private_key::{}"