-
Notifications
You must be signed in to change notification settings - Fork 0
85 lines (74 loc) · 2.66 KB
/
fetch-internal-branch.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
name: fetch-internal-branch
on:
repository_dispatch:
types: ["on-priv-updated"]
jobs:
publish:
runs-on: ubuntu-latest
steps:
- name: Get token
id: get-token
run: |
# Client ID as first argument
client_id=${{ secrets.APP_CLIENT_ID }}
app_id=${{ secrets.APP_ID }}
pem=$( cat <<'EOF'
${{ secrets.APP_KEY }}
EOF
) # file path of the private key as second argument
now=$(date +%s)
iat=$((${now} - 60)) # Issues 60 seconds in the past
exp=$((${now} + 600)) # Expires 10 minutes in the future
b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
header_json='{
"typ":"JWT",
"alg":"RS256"
}'
# Header encode
header=$( echo -n "${header_json}" | b64enc )
payload_json="{
\"iat\":${iat},
\"exp\":${exp},
\"iss\":\"${client_id}\"
}"
# Payload encode
payload=$( echo -n "${payload_json}" | b64enc )
# Signature
header_payload="${header}"."${payload}"
signature=$(
openssl dgst -sha256 -sign <(echo -n "${pem}") \
<(echo -n "${header_payload}") | b64enc
)
#echo $header_payload
#echo $signature
# Create JWT
JWT=$(printf '%s\n' "${header_payload}"."${signature}")
echo "::add-mask::$JWT"
resp=$(curl --request POST \
--url "https://api.github.com/app/installations/$app_id/access_tokens" \
--header "Accept: application/vnd.github+json" \
--header "Authorization: Bearer $JWT" \
--header "X-GitHub-Api-Version: 2022-11-28"
)
token=$(jq -r '.token' <<< $resp)
echo "::add-mask::$token"
if [[ -z "$token" ]]; then
echo "Could not fetch access token"
exit 1
fi
echo "TOKEN=$token" >> "$GITHUB_OUTPUT"
- uses: actions/checkout@v4
with:
token: ${{ steps.get-token.outputs.TOKEN }}
- name: Add other remote
run: |
git remote add privrep https://github.com/${{ secrets.PRIVATE_REPO }}
featureBranch=${{ github.event.client_payload.branch }}
prId=${{ github.event.client_payload.pr_id }}
base_sha=${{ github.event.client_payload.base }}
localBranch="$featureBranch-$prId"
git fetch privrep $featureBranch
git checkout $base_sha
git switch -c $localBranch
git pull privrep $featureBranch --ff-only
git push origin $localBranch