This action allows signing a GitHub App token using a key stored in Azure Key Vault.
- Azure subscription
- GitHub App
- Key Vault
Create a private key and upload it to Azure Key Vault.
Note: This action requires that the workflow has already logged in to Azure, either through the az
CLI or through the Azure/login
action. Alternatively it also supports loging in using azurerm
Terraform provider's OIDC login method environment variables.
gh-app-client-id
- The Client ID of the GitHub App to sign the token for.gh-installation-id
- The installation ID of the GitHub App. Either this orgh-org
must be provided.gh-org
- The org to fetch the installation ID from. Either this orgh-installation-id
must be provided.key-vault-name
- The name of the Azure Key Vault resource that holds the GitHub App private key.key-name
- The name of the key in the Azure Key Vault resource that holds the GitHub App private key.token-duration
- The duration in seconds for which the token will be valid. Default:300
gh_token
- The resulting GitHub token, signed with the key stored in Azure Key Vault.
name: Sign GitHub App token with Azure
on: push
permissions:
id-token: write
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Azure login
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Sign GitHub App token with Azure
id: sign_token
uses: bcc-code/az-keyvault-sign-token@v1
with:
gh-app-client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
gh-installation-id: ${{ vars.GITHUB_APP_INSTALLATION_ID }}
key-vault-name: ${{ vars.AZURE_KEY_VAULT_NAME }}
key-name: 'gh-app-pem'
- name: Use the signed token
run: |
echo "Signed token: ${{ steps.sign_token.outputs.gh_token }}"
The scripts and documentation in this project are released under the Apache License 2.0