Use GitHub app auth#10812
Conversation
There was a problem hiding this comment.
Code Review
This pull request updates the scripts/publish/cloudbuild.yaml workflow to dynamically request a GitHub App Installation Access Token (IAT) using a JWT signed with the App's private key, replacing the previous static credentials setup. The review feedback highlights several critical security and reliability improvements: removing a log statement that exposes the generated JWT, securely cleaning up the temporary private key file using a shell trap, correcting the GitHub API version header, utilizing Node.js instead of a fragile sed regex to parse the token response, and ensuring the token is written to /workspace/hub so subsequent build steps can access it.
| # Save the token to a shared file for subsequent build steps | ||
| mkdir -vp ~/.config && echo -n "$$IAT" > ~/.config/hub | ||
| echo "Successfully requested and saved GitHub App IAT." |
There was a problem hiding this comment.
To ensure that subsequent steps (such as the firepit-builder step, which copies /workspace/hub to ~/.config/hub) also use the newly generated Installation Access Token (IAT) instead of the old decrypted hub token, you should overwrite /workspace/hub with the new token.
# Save the token to a shared file for subsequent build steps
mkdir -vp ~/.config && echo -n "$$IAT" > ~/.config/hub
echo -n "$$IAT" > /workspace/hub
echo "Successfully requested and saved GitHub App IAT."d141933 to
fd5129a
Compare
TODOs to complete this setup:
Tested this on my personal project (just fetching the token) and it succeeded.