Merge pull request #517 from paoloredis/DOC-3991

paoloredis · web-flow · commit c1f0a7cfbb51 · 2024-08-06T12:00:04.000+02:00
DOC-3991 Use github app for k8s_apis_sync workflow
diff --git a/.github/workflows/k8s_apis_sync.yaml b/.github/workflows/k8s_apis_sync.yaml
@@ -61,8 +61,40 @@ jobs:
 
       - name: 'Send pull request'
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          APP_ID: ${{ secrets.DOCS_APP_ID }}
+          PEM: ${{ secrets.DOCS_APP_PRIVATE_KEY }}
+          REGISTRATION_ID: ${{ secrets.DOCS_APP_REGISTRATION_ID }}
         run: |-
+          set -o pipefail
+          now=$(date +%s)
+          iat=$((${now} - 60)) # Issues 60 seconds in the past
+          exp=$((${now} + 600)) # Expires 10 minutes in the future
+          b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
+          header_json='{
+              "typ":"JWT",
+              "alg":"RS256"
+          }'
+          # Header encode
+          header=$( echo -n "${header_json}" | b64enc )
+          payload_json='{
+              "iat":'"${iat}"',
+              "exp":'"${exp}"',
+              "iss":'"${APP_ID}"'
+          }'
+          # Payload encode
+          payload=$( echo -n "${payload_json}" | b64enc )
+          # Signature
+          header_payload="${header}"."${payload}"
+          signature=$(
+              openssl dgst -sha256 -sign <(echo -n "${PEM}") \
+              <(echo -n "${header_payload}") | b64enc
+          )
+          # Create JWT
+          JWT="${header_payload}"."${signature}"
+          GH_TOKEN=$(curl -s --request POST --url "https://api.github.com/app/installations/${REGISTRATION_ID}/access_tokens" \
+            --header "Accept: application/vnd.github+json" --header "Authorization: Bearer $JWT" \
+            --header "X-GitHub-Api-Version: 2022-11-28" | jq -r '.token')
+
           RELEASE="${{ github.event.inputs.release }}"
           BRANCH="k8s_apis_docs_${RELEASE}"
 
