Merge pull request #2726 from DataDog/aleksandr-gringauz/RUM-10224/github-app-migration-for-pat

RUM-10224: GitHub app migration for PAT

Author: aleksandr-gringauz

.gitlab-ci.yml

@@ -64,6 +64,10 @@ stages:
     - export OSSRH_USERNAME=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.signing.ossrh_username --with-decryption --query "Parameter.Value" --out text)
     - export OSSRH_PASSWORD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.signing.ossrh_password --with-decryption --query "Parameter.Value" --out text)
     - export GPG_PUBLIC_FINGERPRINT=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.signing.gpg_public_key --with-decryption --query "Parameter.Value" --out text | gpg --import --import-options show-only | grep -E -o -e "[A-F0-9]{40}")
+  set-github-installation-token:
+    - export GITHUB_APP_CLIENT_ID=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gh_app_client_id --with-decryption --query "Parameter.Value" --out text)
+    - export GITHUB_APP_INSTALLATION_ID=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gh_app_installation_id --with-decryption --query "Parameter.Value" --out text)
+    - export GITHUB_TOKEN=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gh_app_private_key --with-decryption --query "Parameter.Value" --out text | bash ./create_github_installation_token.sh "$GITHUB_APP_CLIENT_ID" "$GITHUB_APP_INSTALLATION_ID")
 
 # CI IMAGE
 
@@ -978,8 +982,8 @@ notify:dogfood-app:
   stage: notify
   when: on_success
   script:
+    - !reference [ .snippets, set-github-installation-token ]
     - pip3 install GitPython requests
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gh_token --with-decryption --query "Parameter.Value" --out text >> ./gh_token
     - python3 dogfood.py -v $CI_COMMIT_TAG -t app
 
 notify:dogfood-demo:
@@ -990,8 +994,8 @@ notify:dogfood-demo:
   stage: notify
   when: on_success
   script:
+    - !reference [ .snippets, set-github-installation-token ]
     - pip3 install GitPython requests
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gh_token --with-decryption --query "Parameter.Value" --out text >> ./gh_token
     - python3 dogfood.py -v $CI_COMMIT_TAG -t demo
 
 notify:dogfood-gradle-plugin:
@@ -1002,8 +1006,8 @@ notify:dogfood-gradle-plugin:
   stage: notify
   when: on_success
   script:
+    - !reference [ .snippets, set-github-installation-token ]
     - pip3 install GitPython requests
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gh_token --with-decryption --query "Parameter.Value" --out text >> ./gh_token
     - python3 dogfood.py -v $CI_COMMIT_TAG -t gradle-plugin
 
 notify:merge-verification-metadata:

create_github_installation_token.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+#
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2016-Present Datadog, Inc.
+#
+
+set -o pipefail
+
+client_id=$1
+installation_id=$2
+
+now=$(date +%s)
+iat=$((${now} - 60)) # Issues 60 seconds in the past
+exp=$((${now} + 600)) # Expires 10 minutes in the future
+
+b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
+
+header_json='{
+    "typ":"JWT",
+    "alg":"RS256"
+}'
+# Header encode
+header=$(echo -n "${header_json}" | b64enc)
+
+payload_json="{
+    \"iat\":${iat},
+    \"exp\":${exp},
+    \"iss\":\"${client_id}\"
+}"
+
+# Payload encode
+payload=$(echo -n "${payload_json}" | b64enc)
+
+# Signature
+header_payload="${header}"."${payload}"
+signature=$(openssl dgst -sha256 -sign /dev/stdin <(echo -n "${header_payload}") | b64enc)
+
+# Create JWT
+jwt_token="${header_payload}"."${signature}"
+
+# Fetch installation token
+installation_token=$(curl \
+  -s \
+  -X POST \
+  -H "Authorization: Bearer $jwt_token" \
+  -H "Accept: application/vnd.github+json" \
+  https://api.github.com/app/installations/$installation_id/access_tokens)
+
+echo $installation_token | jq -r '.token'

dogfood.py

@@ -100,7 +100,7 @@ def generate_target_code(target: str, temp_dir_path: str, version: str):
 
 def git_clone_repository(repo_name: str, gh_token: str, temp_dir_path: str) -> Tuple[Repo, str]:
     print("Cloning repository " + repo_name)
-    url = "https://" + gh_token + ":x-oauth-basic@github.com/DataDog/" + repo_name
+    url = "https://x-access-token:" + gh_token + "@github.com/DataDog/" + repo_name
     repo = Repo.clone_from(url, temp_dir_path)
     base_name = repo.active_branch.name
     return repo, base_name
@@ -143,10 +143,7 @@ def update_dependant(version: str, target: str, gh_token: str, dry_run: bool) ->
 def run_main() -> int:
     cli_args = parse_arguments(sys.argv[1:])
 
-    # This script expects to have a valid Github Token in a "gh_token" text file
-    # The token needs the `repo` permissions, and for now is a PAT
-    with open('gh_token', 'r') as f:
-        gh_token = f.read().strip()
+    gh_token = os.getenv("GITHUB_TOKEN")
 
     return update_dependant(cli_args.version, cli_args.target, gh_token, cli_args.dry_run)