feat(create-github-app-token): adding create-github-app-token action (#1144)

* adding create-github-app-token action

* docs, release and refactor

* added suggestions and improvements

Co-Authored-By: Horst <[email protected]>

* format fixes

* revert to two tokens required and format fixes

---------

Co-authored-by: Horst <[email protected]>

Author: eloymg

.release-please-manifest.json

@@ -20,5 +20,6 @@
     "actions/find-pr-for-commit": "1.0.1",
     "actions/remove-checkout-credentials": "0.1.0",
     "actions/dependabot-auto-triage": "1.1.0",
-    "actions/get-latest-workflow-artifact": "0.1.0"
+    "actions/get-latest-workflow-artifact": "0.1.0",
+    "actions/create-github-app-token": "v0.1.0"
 }

actions/create-github-app-token/README.md

@@ -0,0 +1,107 @@
+# create-github-app-token
+
+From a `grafana/` org repository, get a ephemeral GitHub API token from a GitHub App using Vault.
+
+## Inputs
+
+| Name             | Type   | Description                 | Default Value | Required |
+| ---------------- | ------ | --------------------------- | ------------- | -------- |
+| `permission_set` | String | The required permission set | `default`     | Yes      |
+| `github-app`     | String | The required GitHub app     |               | Yes      |
+| `vault_instance` | String | Vault instance to point     | `ops`         | No       |
+
+## Outputs
+
+| Name           | Type   | Description                |
+| -------------- | ------ | -------------------------- |
+| `github_token` | String | The generated GitHub token |
+
+## Examples
+
+### Using Environment Variables (default)
+
+<!-- x-release-please-start-version -->
+
+#### Using default permission set
+
+```yaml
+name: CI
+on:
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    # These permissions are needed to assume roles from GitHub's OIDC.
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - id: get-github-token
+        uses: grafana/shared-workflows/actions/create-github-app-token@create-github-app-token/v0.1.0
+        with:
+          github_app: github-app-name
+
+      # Use the secrets
+      - name: list issues assignees
+        run: |
+          curl -L \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ steps.get-github-token.outputs.github_token }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/grafana/grafana/assignees
+```
+
+#### Using multiple permissions sets
+
+```yaml
+name: CI
+on:
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    # These permissions are needed to assume roles from GitHub's OIDC.
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - id: get-github-token-read
+        uses: grafana/shared-workflows/actions/create-github-app-token@create-github-app-token/v0.1.0
+        with:
+          github_app: github-app-name
+          permissions-set: read-only-on-foo-repository
+
+      # Use the secrets
+      - name: list issues assignees
+        run: |
+          curl -L \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ steps.get-github-token-read.outputs.github_token }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/grafana/foo-repository/assignees
+
+      - id: get-github-token-write
+        uses: grafana/shared-workflows/actions/create-github-app-token@create-github-app-token/v0.1.0
+        with:
+          github_app: github-app-name
+          permissions-set: write-on-bar-repository
+
+      # Use the secrets
+      - name: create a pull request
+        run: |
+          curl -L \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ steps.get-github-token-write.outputs.github_token }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/grafana/bar-repository/pulls \
+            -d '{"title":"Amazing new feature","body":"Please pull these awesome changes in!","head":"octocat:new-feature","base":"master"}'
+```
+
+<!-- x-release-please-end-version -->

actions/create-github-app-token/action.yaml

@@ -0,0 +1,88 @@
+name: Create GitHub App Token
+description: Composite action (step) to get create github app token using vault.
+inputs:
+  permission_set:
+    description: Permission set name
+    default: default
+  github_app:
+    description: |
+      GitHub app name in Vault
+  vault_instance:
+    description: |
+      The Vault instance to use (`dev` or `ops`). Defaults to `ops`.
+    default: ops
+outputs:
+  token:
+    description: "GitHub installation access token"
+    value: ${{ steps.generate-token.outputs.github_token }}
+runs:
+  using: composite
+  steps:
+    - id: check-vault-instance
+      if: inputs.vault_instance != 'dev' && inputs.vault_instance != 'ops'
+      shell: bash
+      env:
+        VAULT_INSTANCE: ${{ inputs.vault_instance }}
+      run: |
+        echo "Invalid value for vault_instance input: ${VAULT_INSTANCE}. Must be 'dev' or 'ops'."
+        exit 1
+
+    - id: normalize-workflow-name
+      shell: bash
+      env:
+        WORKFLOW_REF: ${{ github.workflow_ref }}
+      run: |
+        RAW_NAME="${WORKFLOW_REF}"
+        REF_SHA=$(echo -n "$RAW_NAME" | sed -E 's|^[^/]*/[^/]*/||' | sed -E 's/@.*//' | sha256sum | awk '{print $1}')
+        echo "ref_sha=$REF_SHA" >> "$GITHUB_OUTPUT"
+
+    - id: get-github-jwt-token
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      env:
+        VAULT_INSTANCE: ${{ inputs.vault_instance }}
+      with:
+        script: |
+          const jwt = await core.getIDToken("vault-github-actions-grafana-"+process.env.VAULT_INSTANCE);
+          core.setSecret(jwt);
+          core.setOutput("github-jwt",jwt);
+
+    - id: get-github-jwt-auth-token
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      env:
+        VAULT_INSTANCE: ${{ inputs.vault_instance }}
+      with:
+        script: |
+          const jwt = await core.getIDToken("https://vault-github-actions.grafana-"+process.env.VAULT_INSTANCE+".net");
+          core.setSecret(jwt);
+          core.setOutput("github-jwt",jwt);
+
+    - name: Authenticate with Vault
+      id: auth-vault
+      shell: bash
+      env:
+        VAULT_INSTANCE: ${{ inputs.vault_instance }}
+        REPOSITORY_NAME: ${{ github.event.repository.name }}
+        PERMISSION_SET: ${{ inputs.permission_set}}
+        VAULT_URL: "https://vault-github-actions.grafana-${{ inputs.vault_instance }}.net"
+      run: |
+        echo "${REPOSITORY_NAME}-${{ steps.normalize-workflow-name.outputs.ref_sha }}-${PERMISSION_SET}"
+        curl --fail -X POST "${VAULT_URL}/v1/auth/github-actions-oidc/login" \
+        -H "Content-Type: application/json" \
+        -H "Proxy-Authorization-Token: Bearer ${{ steps.get-github-jwt-token.outputs.github-jwt }}" \
+        -d "{\"role\": \"${REPOSITORY_NAME}-${{ steps.normalize-workflow-name.outputs.ref_sha }}-${PERMISSION_SET}\",\"jwt\": \"${{ steps.get-github-jwt-auth-token.outputs.github-jwt }}\"}" \
+        | jq -r '"vault_token=\(.auth.client_token)"' >> $GITHUB_OUTPUT
+
+    - name: Get GitHub Token
+      id: generate-token
+      shell: bash
+      env:
+        VAULT_INSTANCE: ${{ inputs.vault_instance }}
+        REPOSITORY_NAME: ${{ github.event.repository.name }}
+        PERMISSION_SET: ${{ inputs.permission_set}}
+        GITHUB_APP: ${{ inputs.github_app }}
+        VAULT_URL: "https://vault-github-actions.grafana-${{ inputs.vault_instance }}.net"
+      run: |
+        curl --fail "{$VAULT_URL}/v1/github-app-${GITHUB_APP}/token/${REPOSITORY_NAME}-${{ steps.normalize-workflow-name.outputs.ref_sha }}-${PERMISSION_SET}" \
+        -H "X-Vault-Token: ${{ steps.auth-vault.outputs.vault_token }}" \
+        -H "Proxy-Authorization-Token: Bearer ${{ steps.get-github-jwt-token.outputs.github-jwt }}" \
+        | jq -r '"github_token=\(.data.token)"' >> $GITHUB_OUTPUT