feat(server): support fetching versions for all actions (via GitHub App) (#1867)

Adds a way to authorize as a GitHub app. The apps can list branches and
tags for all repos, contrary to personal access tokens or GitHub tokens
that can be blocked for some orgs that own GitHub actions.

---------

Co-authored-by: Piotr Krzeminski <[email protected]>

Author: LeoColman

.github/workflows/bindings-server.main.kts

@@ -31,7 +31,7 @@ import kotlin.time.TimeSource
 val DOCKERHUB_USERNAME by Contexts.secrets
 val DOCKERHUB_PASSWORD by Contexts.secrets
 val TRIGGER_IMAGE_PULL by Contexts.secrets
-val GITHUB_TOKEN by Contexts.secrets
+val APP_PRIVATE_KEY by Contexts.secrets
 
 @OptIn(ExperimentalKotlinLogicStep::class)
 workflow(
@@ -52,7 +52,7 @@ workflow(
         name = "End-to-end test",
         runsOn = UbuntuLatest,
         env = mapOf(
-            "GITHUB_TOKEN" to expr { GITHUB_TOKEN },
+            "APP_PRIVATE_KEY" to expr { APP_PRIVATE_KEY },
         ),
     ) {
         uses(action = Checkout())

.github/workflows/bindings-server.yaml

@@ -48,7 +48,7 @@ jobs:
     needs:
     - 'check_yaml_consistency'
     env:
-      GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+      APP_PRIVATE_KEY: '${{ secrets.APP_PRIVATE_KEY }}'
     steps:
     - id: 'step-0'
       uses: 'actions/checkout@v4'

action-updates-checker/src/main/kotlin/io/github/typesafegithub/workflows/updates/Utils.kt

@@ -20,7 +20,7 @@ internal suspend fun Workflow.availableVersionsForEachAction(
     githubAuthToken: String? = getGithubAuthTokenOrNull(),
 ): Flow<RegularActionVersions> {
     if (githubAuthToken == null && !reportWhenTokenUnset) {
-        githubWarning("github token is required, but not set, skipping api calls")
+        githubWarning("github auth token is required, but not set, skipping api calls")
         return emptyFlow()
     }
     val groupedSteps = groupStepsByAction()

shared-internal/build.gradle.kts

@@ -16,6 +16,7 @@ dependencies {
     implementation("io.ktor:ktor-client-cio:3.1.1")
     implementation("io.ktor:ktor-client-content-negotiation:3.1.1")
     implementation("io.ktor:ktor-serialization-kotlinx-json:3.1.1")
+    implementation("com.auth0:java-jwt:4.5.0")
 
     // It's a workaround for a problem with Kotlin Scripting, and how it resolves
     // conflicting versions: https://youtrack.jetbrains.com/issue/KT-69145

shared-internal/src/main/kotlin/io/github/typesafegithub/workflows/shared/internal/GitHubApp.kt

@@ -0,0 +1,93 @@
+package io.github.typesafegithub.workflows.shared.internal
+
+import com.auth0.jwt.JWT
+import com.auth0.jwt.algorithms.Algorithm
+import io.ktor.client.HttpClient
+import io.ktor.client.call.body
+import io.ktor.client.plugins.contentnegotiation.ContentNegotiation
+import io.ktor.client.request.header
+import io.ktor.client.request.post
+import io.ktor.serialization.kotlinx.json.json
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.Transient
+import kotlinx.serialization.json.Json
+import java.security.KeyFactory
+import java.security.interfaces.RSAPrivateKey
+import java.security.spec.PKCS8EncodedKeySpec
+import java.time.Instant
+import java.time.ZonedDateTime
+import java.util.Base64
+
+/**
+ * Returns an installation access token for the GitHub app, usable with API call to GitHub.
+ * If `null` is returned, it means that the environment wasn't configured to generate the token.
+ */
+suspend fun getInstallationAccessToken(): String? {
+    if (cachedAccessToken?.isExpired() == false) return cachedAccessToken!!.token
+    val jwtToken = generateJWTToken() ?: return null
+    cachedAccessToken =
+        httpClient
+            .post("https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens") {
+                header("Accept", "application/vnd.github+json")
+                header("Authorization", "Bearer $jwtToken")
+                header("X-GitHub-Api-Version", "2022-11-28")
+            }.body()
+    return cachedAccessToken!!.token
+}
+
+private const val INSTALLATION_ID = "62885502"
+
+private var cachedAccessToken: Token? = null
+
+@Serializable
+private data class Token(
+    val token: String,
+    val expires_at: String,
+    val permissions: Map<String, String>,
+    val repository_selection: String,
+) {
+    @Transient
+    private val expiresAtDateTime = ZonedDateTime.parse(expires_at)
+
+    fun isExpired() = ZonedDateTime.now().isAfter(expiresAtDateTime)
+}
+
+private val httpClient =
+    HttpClient {
+        install(ContentNegotiation) {
+            json(
+                Json { ignoreUnknownKeys = false },
+            )
+        }
+    }
+
+private const val GITHUB_CLIENT_ID = "Iv23liIZ17VJKUpjacBs"
+
+private fun generateJWTToken(): String? {
+    val key = loadRsaKey() ?: return null
+    val algorithm = Algorithm.RSA256(null, key)
+    val now = Instant.now()
+    return JWT
+        .create()
+        .withIssuer(GITHUB_CLIENT_ID)
+        .withIssuedAt(now.minusMinutes(1))
+        .withExpiresAt(now.plusMinutes(9))
+        .sign(algorithm)
+}
+
+private fun loadRsaKey(): RSAPrivateKey? {
+    val privateKey = System.getenv("APP_PRIVATE_KEY") ?: return null
+    val filtered =
+        privateKey
+            .replace("-----BEGIN PRIVATE KEY-----", "")
+            .replace("-----END PRIVATE KEY-----", "")
+            .replace("\\s".toRegex(), "")
+    val keyBytes = Base64.getDecoder().decode(filtered)
+    val keySpec = PKCS8EncodedKeySpec(keyBytes)
+    val keyFactory = KeyFactory.getInstance("RSA")
+    return keyFactory.generatePrivate(keySpec) as RSAPrivateKey
+}
+
+private fun Instant.minusMinutes(minutes: Long): Instant = minusSeconds(minutes * 60)
+
+private fun Instant.plusMinutes(minutes: Long): Instant = plusSeconds(minutes * 60)

shared-internal/src/main/kotlin/io/github/typesafegithub/workflows/shared/internal/GithubUtils.kt

@@ -1,38 +1,37 @@
 package io.github.typesafegithub.workflows.shared.internal
 
+import kotlinx.coroutines.runBlocking
+
 /**
  * Returns a token that should be used to make authorized calls to GitHub,
  * or null if no token was configured.
  * The token may be of various kind, e.g. a Personal Access Token, or an
  * Application Installation Token.
  */
 fun getGithubAuthTokenOrNull(): String? =
-    System
-        .getenv("GITHUB_TOKEN")
-        .also {
-            if (it == null) {
-                println(
-                    """
-                    Missing environment variable export GITHUB_TOKEN=token
-                    Create a personal token at https://github.com/settings/tokens
-                    The token needs to have public_repo scope.
-                    """.trimIndent(),
-                )
+    runBlocking {
+        (System.getenv("GITHUB_TOKEN") ?: getInstallationAccessToken())
+            .also {
+                if (it == null) {
+                    println(ERROR_NO_CONFIGURATION)
+                }
             }
-        }
+    }
 
 /**
  * Returns a token that should be used to make authorized calls to GitHub,
  * or throws an exception if no token was configured.
  * The token may be of various kind, e.g. a Personal Access Token, or an
  * Application Installation Token.
  */
-fun getGithubAuthToken(): String =
-    System.getenv("GITHUB_TOKEN")
-        ?: error(
-            """
-            Missing environment variable export GITHUB_TOKEN=token
-            Create a personal token at https://github.com/settings/tokens
-            The token needs to have public_repo scope.
-            """.trimIndent(),
-        )
+fun getGithubAuthToken(): String = getGithubAuthTokenOrNull() ?: error(ERROR_NO_CONFIGURATION)
+
+private val ERROR_NO_CONFIGURATION =
+    """
+    Missing environment variables for generating an auth token. There are two options:
+    1. Create a personal access token at https://github.com/settings/tokens.
+       The token needs to have public_repo scope. Then, set it in `GITHUB_TOKEN` env var.
+       With this approach, listing versions for some actions may not work.
+    2. Create a GitHub app, and generate a private key. Then, set it in `APP_PRIVATE_KEY` env var.
+       With this approach, listing versions for all actions works.
+    """.trimIndent()