.github/workflows/fetch-public-commits.yml

name: fetch-public-commits

on:
  repository_dispatch:
    types: ["on-pub-updated"]

jobs:
  update:
    runs-on: ubuntu-latest
    steps:
      - name: Get token
        id: get-token
        run: |
          # Client ID as first argument
          client_id=${{ secrets.APP_CLIENT_ID }}
          app_id=${{ secrets.APP_ID }}

          pem=$( cat <<'EOF'
          ${{ secrets.APP_KEY }}
          EOF
          ) # file path of the private key as second argument

          now=$(date +%s)
          iat=$((${now} - 60)) # Issues 60 seconds in the past
          exp=$((${now} + 600)) # Expires 10 minutes in the future

          b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }

          header_json='{
              "typ":"JWT",
              "alg":"RS256"
          }'
          # Header encode
          header=$( echo -n "${header_json}" | b64enc )

          payload_json="{
              \"iat\":${iat},
              \"exp\":${exp},
              \"iss\":\"${client_id}\"
          }"
          # Payload encode
          payload=$( echo -n "${payload_json}" | b64enc )

          # Signature
          header_payload="${header}"."${payload}"
          signature=$(
          openssl dgst -sha256 -sign <(echo -n "${pem}") \
          <(echo -n "${header_payload}") | b64enc
          )

          #echo $header_payload
          #echo $signature

          # Create JWT
          JWT=$(printf '%s\n' "${header_payload}"."${signature}")
          echo "::add-mask::$JWT"

          resp=$(curl --request POST \
           --url "https://api.github.com/app/installations/$app_id/access_tokens" \
           --header "Accept: application/vnd.github+json" \
           --header "Authorization: Bearer $JWT" \
           --header "X-GitHub-Api-Version: 2022-11-28"
          )
          token=$(jq -r '.token' <<< $resp)
          echo "::add-mask::$token"
          if [[ -z "$token" ]]; then
              echo "Could not fetch access token"
              exit 1
          fi
          echo "TOKEN=$token" >> "$GITHUB_OUTPUT"
      - uses: actions/checkout@v4
        with:
          ref: public-clone
          token: ${{ steps.get-token.outputs.TOKEN }}
      - name: Update public-clone branch
        run: |
          git remote add pubrep https://github.com/${{ secrets.PUBLIC_REPO }}
          git pull pubrep main --ff-only
          git push
      - name: Update main branch
        run: |
          git config user.name "github-actions"
          git config user.email "github-actions@github.com"
          git fetch origin main
          git checkout -b main --track origin/main
          git merge -m "merge public-clone branch" public-clone
          git push