microsoft/TypeScript
1
0
Fork 0
mirror of https://github.com/microsoft/TypeScript.git synced 2026-06-13 11:46:08 -05:00
Code Issues Packages Projects Releases 212 Wiki Activity

Switch from bot PAT to GitHub App token via Azure Key Vault (#63538)

Browse Source
This commit is contained in:
Jake Bailey
2026-06-08 12:58:53 -07:00
committed by GitHub
parent 7539c04d94
commit 345012d5a9
13 changed files with 1025 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

614
scripts/create-github-app-token.yml Normal file
View File

@@ -0,0 +1,614 @@
# Step template for creating a GitHub App token via Azure Key Vault.
# This template can be used in release jobs where checkout is not available.
# The CLI script from microsoft/create-github-app-token-via-key-vault is inlined below.
#
# The token is created and stored in an Azure Pipelines variable (default: GH_TOKEN).
# A revocation step runs at the end with condition: always().
# To use the token, add your steps between this template's create and revoke steps
# by setting insertSteps.
parameters:
- name: azureSubscription
type: string
default: 'TypeScript Public CI'
- name: owner
type: string
default: 'microsoft'
- name: repositories
type: string
- name: permissions
type: string
- name: tokenVariable
type: string
default: 'GH_TOKEN'
- name: insertSteps
type: stepList
default: []
steps:
- task: AzureCLI@2
displayName: Create GitHub App token
inputs:
azureSubscription: ${{ parameters.azureSubscription }}
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
cat << 'GITHUB_APP_TOKEN_CLI_EOF' > /tmp/create-github-app-token.cjs
"use strict";
// src/api.ts
var defaultRefreshWindowMs = 5 * 60 * 1e3;
var defaultGitHubApiUrl = "https://api.github.com";
var transientRetryCount = 3;
var GitHubRequestError = class extends Error {
status;
constructor(message, status) {
super(message);
this.status = status;
}
};
function assertValue(value, message) {
if (!value) {
throw new Error(message);
}
return value;
}
function base64url(value) {
return Buffer.from(value).toString("base64url");
}
async function sleep(ms) {
await new Promise((resolve) => setTimeout(resolve, ms));
}
function isRetryableError(error) {
return error instanceof GitHubRequestError ? error.status >= 500 : error instanceof TypeError;
}
async function retryTransient(operation) {
for (let attempt = 0; ; attempt++) {
try {
return await operation();
} catch (error) {
if (attempt >= transientRetryCount || !isRetryableError(error)) {
throw error;
}
await sleep(2 ** attempt * 1e3);
}
}
}
function splitRepositoryNames(repositories) {
if (Array.isArray(repositories)) {
return repositories.map((repo) => `${repo}`.trim()).filter(Boolean);
}
if (typeof repositories === "string") {
return repositories.split(/[,\n]/).map((repo) => repo.trim()).filter(Boolean);
}
return [];
}
function stableObject(value) {
if (!value || typeof value !== "object" || Array.isArray(value)) {
return value;
}
return Object.fromEntries(
Object.entries(value).sort(([left], [right]) => left.localeCompare(right)).map(([key, entry]) => [key, stableObject(entry)])
);
}
function githubHeaders(token, json = false) {
return {
"Accept": "application/vnd.github+json",
"Authorization": `Bearer ${token}`,
...json ? { "Content-Type": "application/json" } : {},
"X-GitHub-Api-Version": "2022-11-28"
};
}
function isRecord(value) {
return typeof value === "object" && value !== null && !Array.isArray(value);
}
function requiredIntegerProperty(value, property, failureMessage) {
const propertyValue = isRecord(value) ? value[property] : void 0;
if (typeof propertyValue !== "number" || !Number.isInteger(propertyValue)) {
throw new Error(failureMessage);
}
return propertyValue;
}
function requiredStringProperty(value, property, failureMessage) {
const propertyValue = isRecord(value) ? value[property] : void 0;
if (typeof propertyValue !== "string" || !propertyValue) {
throw new Error(failureMessage);
}
return propertyValue;
}
function validatePermissionName(key) {
if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) {
throw new Error(`Invalid permission name: ${key}`);
}
}
function validatePermissionLevel(key, level) {
if (level !== "read" && level !== "write" && level !== "admin") {
throw new Error(`Invalid permission level for ${key}: ${level}`);
}
return level;
}
function validatePermissions(value) {
if (value === void 0) {
return void 0;
}
if (!isRecord(value)) {
throw new Error("permissions must be an object");
}
const permissions = {};
for (const [key, level] of Object.entries(value)) {
validatePermissionName(key);
permissions[key] = validatePermissionLevel(key, level);
}
return Object.keys(permissions).length === 0 ? void 0 : permissions;
}
async function requestJson(url, init, failureMessage) {
const response = await fetch(url, init);
const body = await response.text();
if (!response.ok) {
throw new GitHubRequestError(
`${failureMessage}: ${response.status} ${response.statusText}: ${body}`,
response.status
);
}
try {
return JSON.parse(body);
} catch {
throw new Error(`${failureMessage}: GitHub returned invalid JSON`);
}
}
async function requestNoContent(url, init, failureMessage) {
const response = await fetch(url, init);
if (!response.ok) {
const body = await response.text();
throw new GitHubRequestError(
`${failureMessage}: ${response.status} ${response.statusText}: ${body}`,
response.status
);
}
}
function parseRepositoryInput(input) {
const parts = input.split("/");
if (parts.length === 1 && parts[0]) {
return { input, name: parts[0] };
}
if (parts.length === 2 && parts[0] && parts[1]) {
return { input, owner: parts[0], name: parts[1] };
}
throw new Error(`Invalid repository '${input}'. Expected 'repository' or 'owner/repository'.`);
}
function normalizeRepositoryTarget(owner, repositories, defaultOwner) {
const parsedRepositories = repositories.map(parseRepositoryInput);
const repositoryOwner = parsedRepositories.find((repository) => repository.owner)?.owner;
const parsedOwner = owner || defaultOwner || repositoryOwner;
if (!parsedOwner) {
throw new Error("owner is required when repositories are provided");
}
const mismatchedRepository = parsedRepositories.find(
(repository) => repository.owner && repository.owner.toLowerCase() !== parsedOwner.toLowerCase()
);
if (mismatchedRepository) {
throw new Error(
`Repository '${mismatchedRepository.input}' includes owner '${mismatchedRepository.owner}', which does not match the resolved owner '${parsedOwner}'.`
);
}
return {
owner: parsedOwner,
repositories: parsedRepositories.map((repository) => repository.name)
};
}
function resolveInstallationTarget(options, defaultOwner) {
const repositories = splitRepositoryNames(options.repositories ?? options.repositoryNames);
if (options.enterprise) {
if (options.owner || repositories.length > 0) {
throw new Error("Cannot use 'enterprise' with 'owner' or 'repositories'");
}
return { type: "enterprise", enterprise: options.enterprise };
}
const owner = assertValue(options.owner ?? defaultOwner, "owner is required to discover installation ID");
if (repositories.length === 0) {
return { type: "owner", owner };
}
return { type: "repository", owner, repositories };
}
function createGitHubAppAuth(options) {
assertValue(options.appClientId, "appClientId is required");
assertValue(options.signer, "signer is required");
const appClientId = options.appClientId;
const signer = options.signer;
const defaultOwner = options.defaultOwner;
const refreshWindowMs = options.refreshWindowMs ?? defaultRefreshWindowMs;
const githubApiUrl = options.githubApiUrl ?? defaultGitHubApiUrl;
const installationCache = /* @__PURE__ */ new Map();
const tokenCache = /* @__PURE__ */ new Map();
async function createJwt() {
const now = Math.floor(Date.now() / 1e3);
const iat = now - 60;
const exp = now + 9 * 60;
const header = base64url(JSON.stringify({ typ: "JWT", alg: "RS256" }));
const payload = base64url(JSON.stringify({ iat, exp, iss: appClientId }));
const signingInput = `${header}.${payload}`;
const signature = await signer(signingInput);
return `${signingInput}.${signature}`;
}
async function discoverInstallation(target) {
const cacheKey = JSON.stringify(target);
const cached = installationCache.get(cacheKey);
if (cached !== void 0) {
return cached;
}
const jwt = await createJwt();
let installation;
switch (target.type) {
case "enterprise":
installation = await requestJson(
`${githubApiUrl}/enterprises/${target.enterprise}/installation`,
{ headers: githubHeaders(jwt) },
"Could not discover GitHub App installation ID"
);
break;
case "owner":
try {
installation = await requestJson(
`${githubApiUrl}/orgs/${target.owner}/installation`,
{ headers: githubHeaders(jwt) },
"Could not discover GitHub App installation ID"
);
} catch (error) {
if (!(error instanceof GitHubRequestError) || error.status !== 404) {
throw error;
}
installation = await requestJson(
`${githubApiUrl}/users/${target.owner}/installation`,
{ headers: githubHeaders(jwt) },
"Could not discover GitHub App installation ID"
);
}
break;
case "repository":
installation = await requestJson(
`${githubApiUrl}/repos/${target.owner}/${assertValue(target.repositories[0], "repository is required")}/installation`,
{ headers: githubHeaders(jwt) },
"Could not discover GitHub App installation ID"
);
break;
}
const result = {
id: requiredIntegerProperty(installation, "id", "GitHub did not return an installation ID"),
appSlug: requiredStringProperty(installation, "app_slug", "GitHub did not return an App slug")
};
installationCache.set(cacheKey, result);
return result;
}
async function getInstallationToken(options2) {
const target = resolveInstallationTarget(options2, defaultOwner);
const permissions = validatePermissions(options2.permissions);
return retryTransient(async () => {
const installation = await discoverInstallation(target);
const repositories = target.type === "repository" ? target.repositories : [];
const cacheKey = JSON.stringify({
installationId: installation.id,
repositories: [...repositories].sort(),
permissions: stableObject(permissions)
});
const cached = tokenCache.get(cacheKey);
if (cached && Date.now() < new Date(cached.expiresAt).getTime() - refreshWindowMs) {
return cached;
}
const jwt = await createJwt();
const body = {
...repositories.length > 0 ? { repositories } : {},
...permissions ? { permissions } : {}
};
const token = await requestJson(
`${githubApiUrl}/app/installations/${installation.id}/access_tokens`,
{
method: "POST",
headers: githubHeaders(jwt, true),
body: JSON.stringify(body)
},
"Could not create GitHub App installation token"
);
const result = {
token: requiredStringProperty(token, "token", "GitHub did not return an installation token"),
expiresAt: requiredStringProperty(
token,
"expires_at",
"GitHub did not return an installation token expiration"
),
installationId: installation.id,
appSlug: installation.appSlug,
repositories,
permissions: isRecord(token) && isRecord(token["permissions"]) ? token["permissions"] : permissions ?? {}
};
tokenCache.set(cacheKey, result);
return result;
});
}
async function getToken(options2) {
return (await getInstallationToken(options2)).token;
}
async function revokeToken(token) {
await requestNoContent(
`${githubApiUrl}/installation/token`,
{
method: "DELETE",
headers: githubHeaders(token)
},
"Could not revoke GitHub App installation token"
);
}
return {
getInstallationToken,
getToken,
revokeToken
};
}
// src/azureCliSigner.ts
var import_node_child_process = require("node:child_process");
var import_node_crypto = require("node:crypto");
var cachedAzCommand;
function isRecord2(value) {
return typeof value === "object" && value !== null;
}
function base64ToBase64url(value) {
return value.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
}
function commandExists(command) {
try {
(0, import_node_child_process.execFileSync)("where.exe", [command], {
encoding: "utf8",
stdio: ["ignore", "ignore", "ignore"]
});
return true;
} catch {
return false;
}
}
function azCommand() {
if (cachedAzCommand) {
return cachedAzCommand;
}
if (process.platform !== "win32") {
cachedAzCommand = { command: "az", argsPrefix: [] };
return cachedAzCommand;
}
for (const command of ["az.exe", "az.cmd", "az.bat", "az"]) {
if (commandExists(command)) {
cachedAzCommand = command.endsWith(".exe") ? { command, argsPrefix: [] } : { command: process.env["ComSpec"] || "cmd.exe", argsPrefix: ["/d", "/s", "/c", command] };
return cachedAzCommand;
}
}
throw new Error("Azure CLI (`az`) was not found on PATH");
}
function signDigest(keyId, digest) {
const { command, argsPrefix } = azCommand();
try {
return (0, import_node_child_process.execFileSync)(command, [
...argsPrefix,
"keyvault",
"key",
"sign",
"--id",
keyId,
"--algorithm",
"RS256",
"--digest",
digest,
"--query",
"signature",
"--output",
"tsv",
"--only-show-errors"
], {
encoding: "utf8",
stdio: ["ignore", "pipe", "pipe"]
}).trim();
} catch (error) {
if (isRecord2(error)) {
if (error["code"] === "ENOENT") {
throw new Error("Azure CLI (`az`) was not found on PATH");
}
const errorStderr = error["stderr"];
const stderr = typeof errorStderr === "string" ? errorStderr.trim() : "";
if (typeof error["status"] === "number") {
throw new Error(
`Azure Key Vault signing failed with exit code ${error["status"]}${stderr ? `: ${stderr}` : ""}`
);
}
}
throw new Error("Azure Key Vault signing failed");
}
}
function createAzureCliKeyVaultSigner(keyId) {
if (!keyId) {
throw new Error("keyId is required");
}
return async (signingInput) => {
const digest = (0, import_node_crypto.createHash)("sha256").update(signingInput).digest("base64");
const signature = signDigest(keyId, digest);
if (!signature) {
throw new Error("Azure Key Vault did not return a signature");
}
return base64ToBase64url(signature);
};
}
// src/proxy.ts
var proxyEnvironmentKeys = [
"https_proxy",
"HTTPS_PROXY",
"http_proxy",
"HTTP_PROXY"
];
function proxyEnvironmentConfigured() {
return proxyEnvironmentKeys.some((key) => process.env[key]);
}
function nativeProxySupportEnabled() {
return process.env["NODE_USE_ENV_PROXY"] === "1";
}
function ensureNativeProxySupport() {
if (!proxyEnvironmentConfigured() || nativeProxySupportEnabled()) {
return;
}
throw new Error(
"A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 before running this tool."
);
}
// src/cli.ts
function requiredEnv(name) {
const value = process.env[name];
if (!value) {
throw new Error(`${name} must be set`);
}
return value;
}
function getAppClientId() {
const appClientId = process.env["APP_CLIENT_ID"];
if (!appClientId) {
throw new Error("APP_CLIENT_ID must be set");
}
return appClientId;
}
function validatePermissionName2(key) {
if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) {
throw new Error(`Invalid permission name: ${key}`);
}
}
function validatePermissionLevel2(key, level) {
if (level !== "read" && level !== "write" && level !== "admin") {
throw new Error(`Invalid permission level for ${key}: ${level}`);
}
return level;
}
function parsePermissions(value) {
if (!value) {
return void 0;
}
const permissions = {};
for (const entry of splitRepositoryNames(value)) {
const parts = entry.split(":");
if (parts.length !== 2) {
throw new Error(`Permission entry must include an explicit level: ${entry}`);
}
const key = parts[0]?.trim();
const rawLevel = parts[1]?.trim();
if (!key) {
throw new Error(`Permission entry must include a permission name: ${entry}`);
}
validatePermissionName2(key);
if (Object.hasOwn(permissions, key)) {
throw new Error(`Duplicate permission: ${key}`);
}
permissions[key] = validatePermissionLevel2(key, rawLevel);
}
return Object.keys(permissions).length === 0 ? void 0 : permissions;
}
function validateVariableName(name, envName) {
if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(name)) {
throw new Error(`${envName} must be an environment-style variable name`);
}
}
function parseOutputMode(value) {
const output = (value || "stdout").trim().toLowerCase();
if (output === "azure" || output === "azure-pipelines" || output === "stdout") {
return output;
}
throw new Error('OUTPUT must be "azure", "azure-pipelines", or "stdout"');
}
function getTokenOptions() {
const enterprise = process.env["ENTERPRISE"];
const owner = process.env["OWNER"];
const repositories = splitRepositoryNames(process.env["REPOSITORIES"]);
const permissions = parsePermissions(process.env["PERMISSIONS"]);
if (enterprise) {
if (owner || repositories.length > 0) {
throw new Error("Cannot use ENTERPRISE with OWNER or REPOSITORIES");
}
return { enterprise, permissions };
}
if (repositories.length > 0) {
return { ...normalizeRepositoryTarget(owner, repositories, void 0), permissions };
}
if (owner) {
return { owner, permissions };
}
throw new Error("OWNER, REPOSITORIES, or ENTERPRISE must be set");
}
function writeAzurePipelinesOutput(installationToken) {
const variableName = requiredEnv("AZURE_TOKEN_VARIABLE");
validateVariableName(variableName, "AZURE_TOKEN_VARIABLE");
process.stdout.write(`##vso[task.setvariable variable=${variableName};isSecret=true]${installationToken.token}
`);
}
function writeOutput(installationToken, output) {
switch (output) {
case "azure":
case "azure-pipelines":
writeAzurePipelinesOutput(installationToken);
break;
case "stdout":
process.stdout.write(`${installationToken.token}
`);
break;
}
}
function reportError(error) {
const message = error instanceof Error ? error.message : String(error);
console.error(`error: ${message}`);
}
async function main() {
ensureNativeProxySupport();
const githubApiUrl = process.env["GITHUB_API_URL"] || "https://api.github.com";
const revokeTokenValue = process.env["REVOKE_TOKEN"];
if (revokeTokenValue) {
const response = await fetch(`${githubApiUrl}/installation/token`, {
method: "DELETE",
headers: {
"Accept": "application/vnd.github+json",
"Authorization": `Bearer ${revokeTokenValue}`,
"X-GitHub-Api-Version": "2022-11-28"
}
});
if (!response.ok) {
const body = await response.text();
throw new Error(`Could not revoke token: ${response.status} ${response.statusText}: ${body}`);
}
return;
}
const githubAuth = createGitHubAppAuth({
appClientId: getAppClientId(),
signer: createAzureCliKeyVaultSigner(requiredEnv("KEY_ID")),
githubApiUrl
});
const installationToken = await githubAuth.getInstallationToken(getTokenOptions());
writeOutput(installationToken, parseOutputMode(process.env["OUTPUT"]));
}
void main().catch((error) => {
reportError(error);
process.exitCode = 1;
});
GITHUB_APP_TOKEN_CLI_EOF
node /tmp/create-github-app-token.cjs
env:
APP_CLIENT_ID: $(TYPESCRIPT_AUTOMATION_GITHUB_APP_CLIENT_ID)
KEY_ID: $(TYPESCRIPT_AUTOMATION_GITHUB_APP_KEY_ID)
OWNER: ${{ parameters.owner }}
REPOSITORIES: ${{ parameters.repositories }}
PERMISSIONS: ${{ parameters.permissions }}
OUTPUT: azure-pipelines
AZURE_TOKEN_VARIABLE: ${{ parameters.tokenVariable }}
- ${{ each step in parameters.insertSteps }}:
- ${{ step }}
- task: Bash@3
displayName: Revoke GitHub App token
condition: always()
continueOnError: true
inputs:
targetType: inline
script: node /tmp/create-github-app-token.cjs
env:
REVOKE_TOKEN: $(${{ parameters.tokenVariable }})