actions/create-github-app-token
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: handle clock skew (#87)

Browse Source 
GitHub's macOS runners for the past while have had some bad clock drift
which sometimes prevents this action from working with the error:

```console
'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued
```

`@octokit/auth-app` already has logic to handle this so we can defer to
that code.
This commit is contained in:
Bo Anderson
2023-12-06 20:25:27 +00:00
committed by GitHub
parent 8746053070
commit 495056a515
5 changed files with 107 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files
dist/main.cjs
Vendored
+10 -13
View File
@@ -10390,12 +10390,9 @@ async function main(appId2, privateKey2, owner2, repositories2, core2, createApp
privateKey: privateKey2, privateKey: privateKey2,
request: request2 request: request2
}); });
const appAuthentication = await auth({
type: "app"
});
let authentication; let authentication;
if (parsedRepositoryNames) { if (parsedRepositoryNames) {
authentication = await pRetry(() => getTokenFromRepository(request2, auth, parsedOwner, appAuthentication, parsedRepositoryNames), { authentication = await pRetry(() => getTokenFromRepository(request2, auth, parsedOwner, parsedRepositoryNames), {
onFailedAttempt: (error) => { onFailedAttempt: (error) => {
core2.info( core2.info(
`Failed to create token for "${parsedRepositoryNames}" (attempt ${error.attemptNumber}): ${error.message}` `Failed to create token for "${parsedRepositoryNames}" (attempt ${error.attemptNumber}): ${error.message}`
@@ -10404,7 +10401,7 @@ async function main(appId2, privateKey2, owner2, repositories2, core2, createApp
retries: 3 retries: 3
}); });
} else { } else {
authentication = await pRetry(() => getTokenFromOwner(request2, auth, appAuthentication, parsedOwner), { authentication = await pRetry(() => getTokenFromOwner(request2, auth, parsedOwner), {
onFailedAttempt: (error) => { onFailedAttempt: (error) => {
core2.info( core2.info(
`Failed to create token for "${parsedOwner}" (attempt ${error.attemptNumber}): ${error.message}` `Failed to create token for "${parsedOwner}" (attempt ${error.attemptNumber}): ${error.message}`
@@ -10419,19 +10416,19 @@ async function main(appId2, privateKey2, owner2, repositories2, core2, createApp
core2.saveState("token", authentication.token); core2.saveState("token", authentication.token);
} }
} }
async function getTokenFromOwner(request2, auth, appAuthentication, parsedOwner) { async function getTokenFromOwner(request2, auth, parsedOwner) {
const response = await request2("GET /orgs/{org}/installation", { const response = await request2("GET /orgs/{org}/installation", {
org: parsedOwner, org: parsedOwner,
headers: { request: {
authorization: `bearer ${appAuthentication.token}` hook: auth.hook
} }
}).catch((error) => { }).catch((error) => {
if (error.status !== 404) if (error.status !== 404)
throw error; throw error;
return request2("GET /users/{username}/installation", { return request2("GET /users/{username}/installation", {
username: parsedOwner, username: parsedOwner,
headers: { request: {
authorization: `bearer ${appAuthentication.token}` hook: auth.hook
} }
}); });
}); });
@@ -10441,12 +10438,12 @@ async function getTokenFromOwner(request2, auth, appAuthentication, parsedOwner)
}); });
return authentication; return authentication;
} }
async function getTokenFromRepository(request2, auth, parsedOwner, appAuthentication, parsedRepositoryNames) { async function getTokenFromRepository(request2, auth, parsedOwner, parsedRepositoryNames) {
const response = await request2("GET /repos/{owner}/{repo}/installation", { const response = await request2("GET /repos/{owner}/{repo}/installation", {
owner: parsedOwner, owner: parsedOwner,
repo: parsedRepositoryNames.split(",")[0], repo: parsedRepositoryNames.split(",")[0],
headers: { request: {
authorization: `bearer ${appAuthentication.token}` hook: auth.hook
} }
}); });
const authentication = await auth({ const authentication = await auth({
lib/main.js
+10 -14
View File
@@ -70,15 +70,11 @@ export async function main(
request, request,
}); });
const appAuthentication = await auth({
type: "app",
});
let authentication; let authentication;
// If at least one repository is set, get installation ID from that repository // If at least one repository is set, get installation ID from that repository
if (parsedRepositoryNames) { if (parsedRepositoryNames) {
authentication = await pRetry(() => getTokenFromRepository(request, auth, parsedOwner,appAuthentication, parsedRepositoryNames), { authentication = await pRetry(() => getTokenFromRepository(request, auth, parsedOwner, parsedRepositoryNames), {
onFailedAttempt: (error) => { onFailedAttempt: (error) => {
core.info( core.info(
`Failed to create token for "${parsedRepositoryNames}" (attempt ${error.attemptNumber}): ${error.message}` `Failed to create token for "${parsedRepositoryNames}" (attempt ${error.attemptNumber}): ${error.message}`
@@ -89,7 +85,7 @@ export async function main(
} else { } else {
// Otherwise get the installation for the owner, which can either be an organization or a user account // Otherwise get the installation for the owner, which can either be an organization or a user account
authentication = await pRetry(() => getTokenFromOwner(request, auth, appAuthentication, parsedOwner), { authentication = await pRetry(() => getTokenFromOwner(request, auth, parsedOwner), {
onFailedAttempt: (error) => { onFailedAttempt: (error) => {
core.info( core.info(
`Failed to create token for "${parsedOwner}" (attempt ${error.attemptNumber}): ${error.message}` `Failed to create token for "${parsedOwner}" (attempt ${error.attemptNumber}): ${error.message}`
@@ -110,12 +106,12 @@ export async function main(
} }
} }
async function getTokenFromOwner(request, auth, appAuthentication, parsedOwner) { async function getTokenFromOwner(request, auth, parsedOwner) {
// https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-an-organization-installation-for-the-authenticated-app // https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-an-organization-installation-for-the-authenticated-app
const response = await request("GET /orgs/{org}/installation", { const response = await request("GET /orgs/{org}/installation", {
org: parsedOwner, org: parsedOwner,
headers: { request: {
authorization: `bearer ${appAuthentication.token}`, hook: auth.hook,
}, },
}).catch((error) => { }).catch((error) => {
/* c8 ignore next */ /* c8 ignore next */
@@ -124,8 +120,8 @@ async function getTokenFromOwner(request, auth, appAuthentication, parsedOwner)
// https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app
return request("GET /users/{username}/installation", { return request("GET /users/{username}/installation", {
username: parsedOwner, username: parsedOwner,
headers: { request: {
authorization: `bearer ${appAuthentication.token}`, hook: auth.hook,
}, },
}); });
}); });
@@ -138,13 +134,13 @@ async function getTokenFromOwner(request, auth, appAuthentication, parsedOwner)
return authentication; return authentication;
} }
async function getTokenFromRepository(request, auth, parsedOwner,appAuthentication, parsedRepositoryNames) { async function getTokenFromRepository(request, auth, parsedOwner, parsedRepositoryNames) {
// https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
const response = await request("GET /repos/{owner}/{repo}/installation", { const response = await request("GET /repos/{owner}/{repo}/installation", {
owner: parsedOwner, owner: parsedOwner,
repo: parsedRepositoryNames.split(",")[0], repo: parsedRepositoryNames.split(",")[0],
headers: { request: {
authorization: `bearer ${appAuthentication.token}`, hook: auth.hook,
}, },
}); });
package-lock.json
Generated
+30 -2
View File
@@ -1,12 +1,12 @@
{ {
"name": "create-github-app-token", "name": "create-github-app-token",
"version": "1.6.0", "version": "1.6.1",
"lockfileVersion": 3, "lockfileVersion": 3,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "create-github-app-token", "name": "create-github-app-token",
"version": "1.6.0", "version": "1.6.1",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/core": "^1.10.1", "@actions/core": "^1.10.1",
@@ -15,6 +15,7 @@
"p-retry": "^6.1.0" "p-retry": "^6.1.0"
}, },
"devDependencies": { "devDependencies": {
"@sinonjs/fake-timers": "^11.2.2",
"ava": "^5.3.1", "ava": "^5.3.1",
"c8": "^8.0.1", "c8": "^8.0.1",
"dotenv": "^16.3.1", "dotenv": "^16.3.1",
@@ -811,6 +812,24 @@
"@octokit/openapi-types": "^19.0.0" "@octokit/openapi-types": "^19.0.0"
} }
}, },
"node_modules/@sinonjs/commons": {
"version": "3.0.0",
"resolved": "https://registry.npmjs.org/@sinonjs/commons/-/commons-3.0.0.tgz",
"integrity": "sha512-jXBtWAF4vmdNmZgD5FoKsVLv3rPgDnLgPbU84LIJ3otV44vJlDRokVng5v8NFJdCf/da9legHcKaRuZs4L7faA==",
"dev": true,
"dependencies": {
"type-detect": "4.0.8"
}
},
"node_modules/@sinonjs/fake-timers": {
"version": "11.2.2",
"resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-11.2.2.tgz",
"integrity": "sha512-G2piCSxQ7oWOxwGSAyFHfPIsyeJGXYtc6mFbnFA+kRXkiEnTl8c/8jul2S329iFBnDI9HGoeWWAZvuvOkZccgw==",
"dev": true,
"dependencies": {
"@sinonjs/commons": "^3.0.0"
}
},
"node_modules/@tokenizer/token": { "node_modules/@tokenizer/token": {
"version": "0.3.0", "version": "0.3.0",
"resolved": "https://registry.npmjs.org/@tokenizer/token/-/token-0.3.0.tgz", "resolved": "https://registry.npmjs.org/@tokenizer/token/-/token-0.3.0.tgz",
@@ -4089,6 +4108,15 @@
"node": ">=0.6.11 <=0.7.0 || >=0.7.3" "node": ">=0.6.11 <=0.7.0 || >=0.7.3"
} }
}, },
"node_modules/type-detect": {
"version": "4.0.8",
"resolved": "https://registry.npmjs.org/type-detect/-/type-detect-4.0.8.tgz",
"integrity": "sha512-0fr/mIH1dlO+x7TlcMy+bIDqKPsw/70tVyeHW787goQjhmqaZe10uwLujubK9q9Lg6Fiho1KUKDYz0Z7k7g5/g==",
"dev": true,
"engines": {
"node": ">=4"
}
},
"node_modules/type-fest": { "node_modules/type-fest": {
"version": "0.13.1", "version": "0.13.1",
"resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.13.1.tgz", "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.13.1.tgz",
package.json
+1
View File
@@ -18,6 +18,7 @@
"p-retry": "^6.1.0" "p-retry": "^6.1.0"
}, },
"devDependencies": { "devDependencies": {
"@sinonjs/fake-timers": "^11.2.2",
"ava": "^5.3.1", "ava": "^5.3.1",
"c8": "^8.0.1", "c8": "^8.0.1",
"dotenv": "^16.3.1", "dotenv": "^16.3.1",
tests/main-repo-skew.js
+56
View File
@@ -0,0 +1,56 @@
import { test } from "./main.js";
import { install } from "@sinonjs/fake-timers";
// Verify `main` retry when the clock has drifted.
await test((mockPool) => {
process.env.INPUT_OWNER = 'actions'
process.env.INPUT_REPOSITORIES = 'failed-repo';
const owner = process.env.INPUT_OWNER
const repo = process.env.INPUT_REPOSITORIES
const mockInstallationId = "123456";
install({ now: 0, toFake: ["Date"] });
mockPool
.intercept({
path: `/repos/${owner}/${repo}/installation`,
method: "GET",
headers: {
accept: "application/vnd.github.v3+json",
"user-agent": "actions/create-github-app-token",
// Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
},
})
.reply(({ headers }) => {
const [_, jwt] = (headers.authorization || "").split(" ");
const payload = JSON.parse(Buffer.from(jwt.split(".")[1], "base64").toString());
if (payload.iat < 0) {
return {
statusCode: 401,
data: {
message: "'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued."
},
responseOptions: {
headers: {
"content-type": "application/json",
"date": new Date(Date.now() + 30000).toUTCString()
}
}
};
}
return {
statusCode: 200,
data: {
id: mockInstallationId
},
responseOptions: {
headers: {
"content-type": "application/json"
}
}
};
}).times(2);
});