feat(create-github-app-token): added retries and test workflow (#1294)

* refactor of the actions adding retries and multi app

* prettier format

* added mask

* token mask

* precommit exclude

* more debug logs

* better github token creation logs

* Added CODEOWNERS and fix GitHub name

Co-authored-by: Horst Gutmann  <[email protected]>
Co-authored-by: Guilherme Caulada  <[email protected]>

---------

Co-authored-by: Horst Gutmann <[email protected]>
Co-authored-by: Guilherme Caulada <[email protected]>

Author: 3 people

.github/workflows/test-create-github-app-token.yaml

@@ -0,0 +1,71 @@
+name: Test Create GitHub App Token
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "actions/create-github-app-token/**"
+      - ".github/workflows/test-create-github-app-token.yaml"
+
+  pull_request:
+    paths:
+      - "actions/create-github-app-token/**"
+      - ".github/workflows/test-create-github-app-token.yaml"
+    types:
+      - edited
+      - opened
+      - ready_for_review
+      - synchronize
+
+  merge_group:
+
+permissions:
+  contents: read
+  id-token: write # required for OIDC → Vault
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    # The `get-vault-secrets` action only works when run from a `grafana`
+    # repository, so skip this test if the PR is from a different repository. We
+    # will still get a run of this workflow for the change before merging, as we
+    # use merge queues.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == 'grafana'
+
+    strategy:
+      matrix:
+        instance:
+          - dev
+          - ops
+          - invalid
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run Create GitHub App Token action
+        id: app-token
+        uses: ./actions/create-github-app-token
+        with:
+          github_app: grafana-create-app-token-test
+          vault_instance: ${{ matrix.instance }}
+        continue-on-error: ${{ matrix.instance == 'invalid' }}
+
+      - name: Validate token by calling GitHub API
+        if: ${{ matrix.instance != 'invalid' }}
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          echo "Testing token for instance: ${{ matrix.instance }}"
+          curl -s -H "Authorization: Bearer $GITHUB_TOKEN" \
+            -H "Accept: application/vnd.github+json" \
+            https://api.github.com/repos/${{ github.repository }} \
+            | jq '.full_name'
+
+      - name: Skip invalid instance
+        if: ${{ matrix.instance == 'invalid' }}
+        run: echo "Invalid vault_instance test run is expected to fail and is allowed."

.pre-commit-config.yaml

@@ -18,6 +18,7 @@ repos:
           - eslint
         entry: oven/bun:1.2.17@sha256:2cd6a1d9e3d505725243c9564cca08465fc6ffb12c065a09261992e650995ee6
         files: \.[jt]s$
+        exclude: "create_github_token.js"
         language: docker_image
 
       - id: prettier

CODEOWNERS

@@ -16,3 +16,6 @@
 
 # Observability
 /actions/azure-trusted-signing/ @grafana/o11y-dept
+
+# Platform Infrasec
+/actions/create-github-app-token @grafana/platform-infrasec

actions/create-github-app-token/action.yaml

@@ -6,7 +6,7 @@ inputs:
     default: default
   github_app:
     description: |
-      GitHub app name in Vault
+      GitHub app name in Vault. You can define mutiple app to do a loadbalancing in a comma separated format.
   vault_instance:
     description: |
       The Vault instance to use (`dev` or `ops`). Defaults to `ops`.
@@ -36,25 +36,27 @@ runs:
         REF_SHA=$(echo -n "$RAW_NAME" | sed -E 's|^[^/]*/[^/]*/||' | sed -E 's/@.*//' | sha256sum | awk '{print $1}')
         echo "ref_sha=$REF_SHA" >> "$GITHUB_OUTPUT"
 
-    - id: get-github-jwt-token
+    - id: get-github-jwt-token-proxy
       uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       env:
         VAULT_INSTANCE: ${{ inputs.vault_instance }}
       with:
         script: |
-          const jwt = await core.getIDToken("vault-github-actions-grafana-"+process.env.VAULT_INSTANCE);
-          core.setSecret(jwt);
-          core.setOutput("github-jwt",jwt);
+          const audience = "vault-github-actions-grafana-" + process.env.VAULT_INSTANCE
+          const script = require(process.env.GITHUB_ACTION_PATH + '/create_github_token.js')
+          script({core, audience})
+          console.log("GitHub token creation done!")
 
-    - id: get-github-jwt-auth-token
+    - id: get-github-jwt-token-vault
       uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       env:
         VAULT_INSTANCE: ${{ inputs.vault_instance }}
       with:
         script: |
-          const jwt = await core.getIDToken("https://vault-github-actions.grafana-"+process.env.VAULT_INSTANCE+".net");
-          core.setSecret(jwt);
-          core.setOutput("github-jwt",jwt);
+          const audience = "https://vault-github-actions.grafana-" + process.env.VAULT_INSTANCE + ".net"
+          const script = require(process.env.GITHUB_ACTION_PATH + '/create_github_token.js')
+          script({core, audience})
+          console.log("GitHub token creation done!")
 
     - name: Authenticate with Vault
       id: auth-vault
@@ -64,13 +66,11 @@ runs:
         REPOSITORY_NAME: ${{ github.event.repository.name }}
         PERMISSION_SET: ${{ inputs.permission_set}}
         VAULT_URL: "https://vault-github-actions.grafana-${{ inputs.vault_instance }}.net"
+        GITHUB_JWT_PROXY: ${{ steps.get-github-jwt-token-proxy.outputs.github-jwt }}
+        GITHUB_JWT_VAULT: ${{ steps.get-github-jwt-token-vault.outputs.github-jwt }}
+        REF_SHA: ${{ steps.normalize-workflow-name.outputs.ref_sha }}
       run: |
-        echo "${REPOSITORY_NAME}-${{ steps.normalize-workflow-name.outputs.ref_sha }}-${PERMISSION_SET}"
-        curl --fail -X POST "${VAULT_URL}/v1/auth/github-actions-oidc/login" \
-        -H "Content-Type: application/json" \
-        -H "Proxy-Authorization-Token: Bearer ${{ steps.get-github-jwt-token.outputs.github-jwt }}" \
-        -d "{\"role\": \"${REPOSITORY_NAME}-${{ steps.normalize-workflow-name.outputs.ref_sha }}-${PERMISSION_SET}\",\"jwt\": \"${{ steps.get-github-jwt-auth-token.outputs.github-jwt }}\"}" \
-        | jq -r '"vault_token=\(.auth.client_token)"' >> $GITHUB_OUTPUT
+        ${GITHUB_ACTION_PATH}/auth_vault.sh
 
     - name: Get GitHub Token
       id: generate-token
@@ -81,8 +81,8 @@ runs:
         PERMISSION_SET: ${{ inputs.permission_set}}
         GITHUB_APP: ${{ inputs.github_app }}
         VAULT_URL: "https://vault-github-actions.grafana-${{ inputs.vault_instance }}.net"
+        VAULT_TOKEN: ${{ steps.auth-vault.outputs.vault_token }}
+        GITHUB_JWT_PROXY: ${{ steps.get-github-jwt-token-proxy.outputs.github-jwt }}
+        REF_SHA: ${{ steps.normalize-workflow-name.outputs.ref_sha }}
       run: |
-        curl --fail "{$VAULT_URL}/v1/github-app-${GITHUB_APP}/token/${REPOSITORY_NAME}-${{ steps.normalize-workflow-name.outputs.ref_sha }}-${PERMISSION_SET}" \
-        -H "X-Vault-Token: ${{ steps.auth-vault.outputs.vault_token }}" \
-        -H "Proxy-Authorization-Token: Bearer ${{ steps.get-github-jwt-token.outputs.github-jwt }}" \
-        | jq -r '"github_token=\(.data.token)"' >> $GITHUB_OUTPUT
+        ${GITHUB_ACTION_PATH}/create_token.sh

actions/create-github-app-token/auth_vault.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+set -euo pipefail
+
+MAX_ATTEMPTS=3
+for attempt in $(seq 1 "${MAX_ATTEMPTS}"); do
+    echo "Attempt ${attempt} to authenticate with Vault..."
+
+    RESPONSE=$(curl -sS -w "%{http_code}" -o response.json \
+        -X POST "${VAULT_URL}/v1/auth/github-actions-oidc/login" \
+        -H "Content-Type: application/json" \
+        -H "Proxy-Authorization-Token: Bearer ${GITHUB_JWT_PROXY}" \
+        -d "{
+            \"role\": \"${REPOSITORY_NAME}-${REF_SHA}-${PERMISSION_SET}\",
+            \"jwt\": \"${GITHUB_JWT_VAULT}\"
+        }" || true)
+
+    if [[ "${RESPONSE}" -eq 200 ]]; then
+        TOKEN=$(jq -r '.auth.client_token' response.json)
+        echo "::add-mask::$TOKEN"
+        echo "vault_token=${TOKEN}" >> "${GITHUB_OUTPUT}"
+        echo "Vault auth done!"
+        exit 0
+    else
+        echo "Vault auth failed (HTTP ${RESPONSE})"
+        cat response.json || true
+        sleep $((attempt * 5))
+    fi
+done
+
+echo "Failed to authenticate with Vault after ${MAX_ATTEMPTS} attempts"
+exit 1

actions/create-github-app-token/create_github_token.js

@@ -0,0 +1,28 @@
+module.exports = ({ core, audience }) => {
+  async function retry(fn, retries = 3, delay = 5000) {
+    console.log(`Audience: ${audience}`);
+    for (let i = 0; i < retries; i++) {
+      console.log(`Attempt ${i + 1}`);
+      try {
+        return await fn();
+      } catch (err) {
+        core.warning(`Attempt ${i + 1} failed: ${err.message}`);
+        if (i < retries - 1) {
+          await new Promise((r) => setTimeout(r, delay * i));
+        } else {
+          throw err;
+        }
+      }
+    }
+  }
+
+  return retry(() => core.getIDToken(audience))
+    .then((jwt) => {
+      core.setSecret(jwt);
+      core.setOutput("github-jwt", jwt);
+    })
+    .catch((err) => {
+      core.setFailed(`Failed to get ID token: ${err.message}`);
+      throw err; // ensure caller knows it failed
+    });
+};

actions/create-github-app-token/create_token.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+set -euo pipefail
+
+MAX_ATTEMPTS=3
+IFS=',' read -ra APPS <<< "${GITHUB_APP}"
+setRandomApp() {
+    GITHUB_APP=$(printf "%s\n" "${APPS[@]}" | sed 's/^ *//;s/ *$//' | shuf -n1)
+    echo "Randomly selected GitHub App: ${GITHUB_APP}"
+}
+
+for attempt in $(seq 1 "${MAX_ATTEMPTS}"); do
+    echo "Attempt ${attempt} to get GitHub token..."
+    setRandomApp
+    RESPONSE=$(curl -sS -w "%{http_code}" -o response.json \
+        "${VAULT_URL}/v1/github-app-${GITHUB_APP}/token/${REPOSITORY_NAME}-${REF_SHA}-${PERMISSION_SET}" \
+        -H "X-Vault-Token: ${VAULT_TOKEN}" \
+        -H "Proxy-Authorization-Token: Bearer ${GITHUB_JWT_PROXY}" || true)
+
+    if [[ "${RESPONSE}" -eq 200 ]]; then
+        TOKEN=$(jq -r '.data.token' response.json)
+        echo "github_token=${TOKEN}" >> "${GITHUB_OUTPUT}"
+        echo "Create GitHub Token done!"
+        exit 0
+    else
+        echo "Vault request failed (HTTP ${RESPONSE})"
+        cat response.json || true
+        sleep $((attempt * 5))
+    fi
+done
+
+echo "Failed to retrieve GitHub token after ${MAX_ATTEMPTS} attempts"
+exit 1