feat(cli): add option to use private key via env var and also via file (#1)

Author: jhagestedt

.github/CONTRIBUTING.md

@@ -0,0 +1,14 @@
+# Contributing
+
+Thank you for investing your time in contributing to the project! Here are base instructions that should be followed if you want to contribute to this project.
+
+## Language
+The only language that should be used in code, documentation and commits should be english.
+
+## Pull requests
+
+All changes made on the repository should be done via pull requests.
+
+## Commits
+
+Please follow the [conventional commits](https://www.conventionalcommits.org/en/v1.0.0) rules on commit messages if you create commits via pull request to the Blueprint. These commits are used to create the changelog.

.github/workflows/ci-pull-request.yml

@@ -33,6 +33,12 @@ jobs:
               go build -o "./dist/ghapp_${OS}_${ARCH}"
             done
           done
+      - id: docker-setup
+        name: docker-setup
+        run: |
+          docker buildx create \
+          --use \
+          --platform linux/amd64,linux/arm64
       - id: docker-build
         name: docker-build
         run: |

.github/workflows/ci.yml

@@ -83,16 +83,24 @@ jobs:
           docker login "${DOCKER_REGISTRY_HOST}" \
           --username "${DOCKER_REGISTRY_USERNAME}" \
           --password-stdin
+      - id: docker-setup
+        name: docker-setup
+        run: |
+          docker buildx create \
+          --use \
+          --platform linux/amd64,linux/arm64
       - id: docker-build
         name: docker-build
         run: |
           docker buildx build . \
           --push \
-          --tag "${DOCKER_REGISTRY_HOST}/${DOCKER_REGISTRY_PATH}:${VERSION}"
+          --tag "${DOCKER_REGISTRY_HOST}/${DOCKER_REGISTRY_PATH}:${VERSION}" \
+          --platform=linux/amd64,linux/arm64
       - id: docker-build-latest
         name: docker-build-latest
         if: ${{ github.ref_type == 'tag' }}
         run: |
           docker buildx build . \
           --push \
-          --tag "${DOCKER_REGISTRY_HOST}/${DOCKER_REGISTRY_PATH}:latest"
+          --tag "${DOCKER_REGISTRY_HOST}/${DOCKER_REGISTRY_PATH}:latest" \
+          --platform=linux/amd64,linux/arm64

Dockerfile

@@ -1,4 +1,7 @@
+FROM --platform=${TARGETPLATFORM} golang:alpine AS build
+
 FROM scratch AS cli
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 ARG TARGETOS="linux"
 ARG TARGETARCH="amd64"
 COPY ./dist/ghapp_${TARGETOS}_${TARGETARCH} /ghapp

README.md

@@ -1 +1,66 @@
 # ghapp
+
+[![ci](https://github.com/jhagestedt/ghapp/actions/workflows/ci.yml/badge.svg)](https://github.com/jhagestedt/ghapp/actions/workflows/ci.yml)
+
+Lightweight `CLI` to create GitHub installation tokens for GitHub Apps.
+
+## Install
+
+The packaged binaries of `ghapp` can be found on the [releases](https://github.com/jhagestedt/ghapp/releases) of this repository.
+
+### Linux
+
+```bash
+curl -L "https://github.com/jhagestedt/ghapp/releases/latest/download/ghapp_linux_amd64" \
+-o ./ghapp && chmod +x ./ghapp
+```
+
+### MacOS
+
+```bash
+curl -L "https://github.com/jhagestedt/ghapp/releases/latest/download/ghapp_darwin_amd64" \
+-o ./ghapp && chmod +x ./ghapp
+```
+
+## Usage
+
+A GitHub App installation token can be created by the GitHub App id, the installation id and the private key like described in the [docs](https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps).
+
+To create an installation token with `ghapp` the private key can be injected via file or as environment variable.
+
+The GitHub App id and installation id can be passed as flags or environment variables.
+
+```bash
+# load private key from file
+ghapp token --id 123 --install-id 123456 --private-key-file .ghapp-private-key.pem
+
+# load private key from environment variable
+export GHAPP_PRIVATE_KEY=$(cat .ghapp-private-key.pem)
+ghapp token --id 123 --install-id 123456
+```
+
+A usage on GitHub Actions could look like the following.
+
+```yaml
+- id: setup-ghapp
+  run: |
+    curl -L "https://github.com/jhagestedt/ghapp/releases/latest/download/ghapp_linux_amd64" -o ./usr/local/bin/ghapp
+    chmod +x ./usr/local/bin/ghapp
+- id: ghapp-install-token
+  run: |
+    GHAPP_INSTALL_TOKEN=$(ghapp token)
+    echo "::set-output name=ghapp_install_token::${GHAPP_INSTALL_TOKEN}"
+  env:
+    GHAPP_ID: 123
+    GHAPP_INSTALL_ID: 123456
+    GHAPP_PRIVATE_KEY: ${{ secrets.GHAPP_PRIVATE_KEY }}
+```
+
+## Docker
+
+There is also a docker container published at [Dockerhub](https://hub.docker.com/repository/docker/jhagestedt/ghapp) that contains the binary that can be used with `docker run` to not install it locally.
+
+```bash
+export GHAPP_PRIVATE_KEY=$(cat .ghapp-private-key.pem)
+docker run --rm -e GHAPP_PRIVATE_KEY jhagestedt/ghapp token --id 123 --installation-id 123456
+```

cmd/github.go

@@ -11,8 +11,8 @@ import (
 )
 
 var client = resty.New()
-var privateKeyPrefix = "-----BEGIN RSA PRIVATE KEY-----\n"
-var privateKeySuffix = "-----END RSA PRIVATE KEY-----\n"
+var privateKeyPrefix = "-----BEGIN RSA PRIVATE KEY-----"
+var privateKeySuffix = "-----END RSA PRIVATE KEY-----"
 
 type GitHubError struct {
 	Message string `json:"message"`
@@ -26,7 +26,7 @@ func CreateToken(id string, privateKey string) (string, error) {
 	if !strings.HasPrefix(privateKey, privateKeyPrefix) {
 		return "", fmt.Errorf("private-key should have prefix %s", privateKeyPrefix)
 	}
-	if !strings.HasSuffix(privateKey, privateKeySuffix) {
+	if !strings.HasSuffix(strings.TrimSuffix(privateKey, "\n"), privateKeySuffix) {
 		return "", fmt.Errorf("private-key should have suffix %s", privateKeySuffix)
 	}
 	dec, _ := pem.Decode([]byte(privateKey))
@@ -42,7 +42,7 @@ func CreateToken(id string, privateKey string) (string, error) {
 	return token.SignedString(rsa)
 }
 
-func CreateInstallationToken(installationId string, token string) (string, error) {
+func CreateInstallationToken(installId string, token string) (string, error) {
 	gitHubInstallationToken := &GitHubInstallationToken{}
 	gitHubError := &GitHubError{}
 	res, err := client.R().
@@ -52,9 +52,9 @@ func CreateInstallationToken(installationId string, token string) (string, error
 		SetResult(&gitHubInstallationToken).
 		SetError(&gitHubError).
 		SetPathParams(map[string]string{
-			"installationId": installationId,
+			"installId": installId,
 		}).
-		Post("https://api.github.com/app/installations/{installationId}/access_tokens")
+		Post("https://api.github.com/app/installations/{installId}/access_tokens")
 	if err != nil {
 		return "", err
 	}

main.go

@@ -28,39 +28,55 @@ func main() {
 		Commands: []*cli.Command{
 			{
 				Name:    "token",
-				Usage:   "Create a GitHub app installation token",
+				Usage:   "Create a GitHub App installation token",
 				Aliases: []string{"t"},
 				Flags: []cli.Flag{
 					&cli.StringFlag{
 						Name:     "id",
-						Usage:    "GitHub app id",
-						EnvVars:  []string{"GITHUB_APP_ID"},
+						Usage:    "GitHub App id",
+						EnvVars:  []string{"GHAPP_ID", "GITHUB_APP_ID"},
 						Required: true,
 					},
 					&cli.StringFlag{
-						Name:     "installation-id",
-						Usage:    "GitHub app installation-id",
-						EnvVars:  []string{"GITHUB_APP_INSTALLATION_ID"},
+						Name:     "install-id",
+						Usage:    "GitHub App installation id",
+						EnvVars:  []string{"GHAPP_INSTALL_ID", "GITHUB_APP_INSTALL_ID"},
 						Required: true,
 					},
 					&cli.StringFlag{
-						Name:        "private-key",
-						Usage:       "GitHub app private-key",
-						EnvVars:     []string{"GITHUB_APP_PRIVATE_KEY"},
-						FilePath:    ".github-app-private-key.pem",
-						DefaultText: ".github-app-private-key.pem",
-						Required:    true,
+						Name:    "private-key",
+						Usage:   "GitHub App private key",
+						EnvVars: []string{"GHAPP_PRIVATE_KEY", "GITHUB_APP_PRIVATE_KEY"},
+					},
+					&cli.StringFlag{
+						Name:    "private-key-file",
+						Usage:   "GitHub App private key file like .ghapp-private-key.pem",
+						EnvVars: []string{"GHAPP_PRIVATE_KEY_FILE", "GITHUB_APP_PRIVATE_KEY_FILE"},
 					},
 				},
 				Action: func(ctx *cli.Context) error {
+					if !ctx.IsSet("private-key") {
+						if !ctx.IsSet("private-key-file") {
+							return fmt.Errorf("private-key or private-key-file not set")
+						}
+						privateKeyFile := ctx.String("private-key-file")
+						privateKeyBytes, err := os.ReadFile(privateKeyFile)
+						if err != nil {
+							return err
+						}
+						err = ctx.Set("private-key", string(privateKeyBytes))
+						if err != nil {
+							return err
+						}
+					}
 					id := ctx.String("id")
-					installationId := ctx.String("installation-id")
+					installId := ctx.String("install-id")
 					privateKey := ctx.String("private-key")
 					token, err := cmd.CreateToken(id, privateKey)
 					if err != nil {
 						return err
 					}
-					installationToken, err := cmd.CreateInstallationToken(installationId, token)
+					installationToken, err := cmd.CreateInstallationToken(installId, token)
 					if err != nil {
 						return err
 					}
@@ -72,7 +88,8 @@ func main() {
 	}
 	sort.Sort(cli.FlagsByName(app.Flags))
 	sort.Sort(cli.CommandsByName(app.Commands))
-	if err := app.Run(os.Args); err != nil {
+	err := app.Run(os.Args)
+	if err != nil {
 		fmt.Print(err)
 		os.Exit(1)
 	}