Skip to content

Latest commit

 

History

History
69 lines (49 loc) · 2.17 KB

README.md

File metadata and controls

69 lines (49 loc) · 2.17 KB

Sign GitHub App token with Azure action

This action allows signing a GitHub App token using a key stored in Azure Key Vault.

Usage

Pre-requisites

  • Azure subscription
  • GitHub App
  • Key Vault

Create a private key and upload it to Azure Key Vault.

Note: This action requires that the workflow has already logged in to Azure, either through the az CLI or through the Azure/login action. Alternatively it also supports loging in using azurerm Terraform provider's OIDC login method environment variables.

Inputs

  • gh-app-client-id - The Client ID of the GitHub App to sign the token for.
  • gh-installation-id - The installation ID of the GitHub App. Either this or gh-org must be provided.
  • gh-org - The org to fetch the installation ID from. Either this or gh-installation-id must be provided.
  • key-vault-name - The name of the Azure Key Vault resource that holds the GitHub App private key.
  • key-name - The name of the key in the Azure Key Vault resource that holds the GitHub App private key.
  • token-duration - The duration in seconds for which the token will be valid. Default: 300

Outputs

  • gh_token - The resulting GitHub token, signed with the key stored in Azure Key Vault.

Example workflow

name: Sign GitHub App token with Azure

on: push

permissions:
  id-token: write
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - name: Azure login
      uses: azure/login@v2
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

    - name: Sign GitHub App token with Azure
      id: sign_token
      uses: bcc-code/az-keyvault-sign-token@v1
      with:
        gh-app-client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
        gh-installation-id: ${{ vars.GITHUB_APP_INSTALLATION_ID }}
        key-vault-name: ${{ vars.AZURE_KEY_VAULT_NAME }}
        key-name: 'gh-app-pem'
    
    - name: Use the signed token
      run: |
        echo "Signed token: ${{ steps.sign_token.outputs.gh_token }}"

License

The scripts and documentation in this project are released under the Apache License 2.0