Add more usage of $access_token

rajbos · Apr 27, 2024 · 0e41ecd · 0e41ecd
1 parent 93dee1d
commit 0e41ecd
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 5 deletions.
diff --git a/.github/workflows/library.ps1 b/.github/workflows/library.ps1
@@ -865,4 +865,57 @@ function GetForkedActionRepos {
     $statusVerified = $status | Where-Object {$_.verified}
     Write-Host "Found [$($statusVerified.Count)] verified repos in status file of total $($status.Count) repos"
     return ($status, $failedForks)
+}
+
+function Get-GitHubAppToken {
+    param (
+        [string] $appId,
+        [string] $installationId,
+        [string] $pemKey
+    )
+    $jwt = New-Jwt -appId $appId -pemKey $pemKey
+    $token = Get-AppToken -jwt $jwt -installationId $installationId
+    return $token
+}
+
+function New-Jwt {
+    param (
+        [string] $appId,
+        [string] $pemKey
+    )
+    $now = [System.DateTime]::UtcNow
+    $payload = @{
+        iat = [math]::floor($now.Subtract((New-Object DateTime 1970, 1, 1, 0, 0, 0, 0, System.DateTimeKind::Utc)).TotalSeconds)
+        exp = [math]::floor($now.AddMinutes(10).Subtract((New-Object DateTime 1970, 1, 1, 0, 0, 0, 0, System.DateTimeKind::Utc)).TotalSeconds)
+        iss = $appId
+    }
+    $header = @{
+        alg = "RS256"
+        typ = "JWT"
+    }
+    $headerJson = $header | ConvertTo-Json -Compress
+    $payloadJson = $payload | ConvertTo-Json -Compress
+    $headerBase64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($headerJson))
+    $payloadBase64 = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($payloadJson))
+    $data = "$headerBase64.$payloadBase64"
+    $rsa = New-Object System.Security.Cryptography.RSACryptoServiceProvider
+    $rsa.ImportParameters((New-Object System.Security.Cryptography.RSAParameters))
+    $rsa.FromXmlString($pemKey)
+    $signature = $rsa.SignData([System.Text.Encoding]::UTF8.GetBytes($data), "SHA256")
+    $signatureBase64 = [Convert]::ToBase64String($signature)
+    return "$data.$signatureBase64"
+}
+
+function Get-AppToken {
+    param (
+        [string] $jwt,
+        [string] $installationId
+    )
+    $uri = "https://api.github.com/app/installations/$installationId/access_tokens"
+    $headers = @{
+        "Authorization" = "Bearer $jwt"
+        "Accept" = "application/vnd.github.v3+json"
+    }
+    $response = Invoke-RestMethod -Uri $uri -Method POST -Headers $headers
+    return $response.token
 }
diff --git a/.github/workflows/repoInfo.ps1 b/.github/workflows/repoInfo.ps1
@@ -8,6 +8,15 @@ Param (
 . $PSScriptRoot/library.ps1
 . $PSScriptRoot/dependents.ps1
 
+if ($env:APP_PEM_KEY) {
+    Write-Host "GitHub App information found, using GitHub App"
+    # todo: move into codespace variable
+    $env:APP_ID = 264650
+    $env:INSTALLATION_ID = 31486141
+    # get a token to use from the app
+    $accessToken = Get-GitHubAppToken -appId $env:APP_ID -installationId $env:INSTALLATION_ID -pemKey $env:APP_PEM_KEY
+}
+
 Test-AccessTokens -accessToken $accessToken -access_token_destination $access_token_destination -numberOfReposToDo $numberOfReposToDo
 
 Import-Module powershell-yaml -Force
@@ -29,7 +38,7 @@ function GetRepoInfo {
     $url = "/repos/$owner/$repo"
     Write-Host "Loading repository info for [$owner/$repo]"
     try {
-        $response = ApiCall -method GET -url $url
+        $response = ApiCall -method GET -url $url -access_token $access_token
         try {
             $url = "/repos/$owner/$repo/releases/latest"
             $release = ApiCall -method GET -url $url -access_token $access_token
@@ -69,7 +78,7 @@ function GetRepoReleases {
     Param (
         $owner,
         $repo,
-        $access_token_destination
+        $access_token
     )
 
     if ($null -eq $owner -or $owner.Length -eq 0) {
@@ -453,12 +462,13 @@ function GetRepoDockerBaseImage {
 function EnableSecretScanning {
     param (
         [string] $owner,
-        [string] $repo
+        [string] $repo,
+        [string] $access_token
     )
 
     $url = "/repos/$owner/$repo"
     $body = "{""security_and_analysis"": {""secret_scanning"": {""status"": ""enabled""}}}"
-    $patchResult = ApiCall -method PATCH -url $url -body $body -token_destination $access_token_destination -expected 200
+    $patchResult = ApiCall -method PATCH -url $url -body $body access_token $access_token -expected 200
 
     return $patchResult
 }
@@ -576,7 +586,7 @@ function GetMoreInfo {
             if (!$hasField -or ($null -eq $action.secretScanningEnabled) -or !$action.secretScanningEnabled) {
                 Write-Host "$i/$max - Enabling secret scanning information for [$forkOrg/$($action.name)]. hasField: [$hasField], action.secretScanningEnabled: [$($action.secretScanningEnabled)]]"
                 try {
-                    $secretScanningEnabled = EnableSecretScanning -owner $forkOrg -repo $action.name
+                    $secretScanningEnabled = EnableSecretScanning -owner $forkOrg -repo $action.name -access_token $access_token
                     if (!$hasField) {
                         Write-Host "Adding secret scanning information object with enabled:[$($secretScanningEnabled)] for [$($forkOrg)/$($action.name)]"