feat: support tokens scoped to multiple repositories within organization (#46)

Co-authored-by: Gregor Martynus <39992+gr2m@users.noreply.github.com> Co-authored-by: Parker Brown <17183625+parkerbxyz@users.noreply.github.com>
2023-10-04 00:28:48 -05:00
parent 5804f049e1
commit 20fd86373f
7 changed files with 949 additions and 5751 deletions
--- a/lib/main.js
+++ b/lib/main.js
@@ -3,7 +3,8 @@
 /**
 * @param {string} appId
 * @param {string} privateKey
- * @param {string} repository
+ * @param {string} owner
+ * @param {string} repositories
 * @param {import("@actions/core")} core
 * @param {import("@octokit/auth-app").createAppAuth} createAppAuth
 * @param {import("@octokit/request").request} request
@@ -11,13 +12,54 @@
 export async function main(
  appId,
  privateKey,
-  repository,
+  owner,
+  repositories,
  core,
  createAppAuth,
  request
 ) {
-  // Get owner and repo name from GITHUB_REPOSITORY
-  const [owner, repo] = repository.split("/");
+  let parsedOwner = "";
+  let parsedRepositoryNames = "";
+
+  // If neither owner nor repositories are set, default to current repository
+  if (!owner && !repositories) {
+    [parsedOwner, parsedRepositoryNames] = String(
+      process.env.GITHUB_REPOSITORY
+    ).split("/");
+
+    core.info(
+      `owner and repositories not set, creating token for the current repository ("${parsedRepositoryNames}")`
+    );
+  }
+
+  // If only an owner is set, default to all repositories from that owner
+  if (owner && !repositories) {
+    parsedOwner = owner;
+
+    core.info(
+      `repositories not set, creating token for all repositories for given owner "${owner}"`
+    );
+  }
+
+  // If repositories are set, but no owner, default to `GITHUB_REPOSITORY_OWNER`
+  if (!owner && repositories) {
+    parsedOwner = String(process.env.GITHUB_REPOSITORY_OWNER);
+    parsedRepositoryNames = repositories;
+
+    core.info(
+      `owner not set, creating owner for given repositories "${repositories}" in current owner ("${parsedOwner}")`
+    );
+  }
+
+  // If both owner and repositories are set, use those values
+  if (owner && repositories) {
+    parsedOwner = owner;
+    parsedRepositoryNames = repositories;
+
+    core.info(
+      `owner and repositories set, creating token for repositories "${repositories}" owned by "${owner}"`
+    );
+  }

  const auth = createAppAuth({
    appId,
@@ -29,31 +71,56 @@ export async function main(
    type: "app",
  });

-  // Get the installation ID
-  // https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
-  const { data: installation } = await request(
-    "GET /repos/{owner}/{repo}/installation",
-    {
-      owner,
-      repo,
+  let authentication;
+  // If at least one repository is set, get installation ID from that repository
+  // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
+  if (parsedRepositoryNames) {
+    const response = await request("GET /repos/{owner}/{repo}/installation", {
+      owner: parsedOwner,
+      repo: parsedRepositoryNames.split(",")[0],
      headers: {
        authorization: `bearer ${appAuthentication.token}`,
      },
-    }
-  );
+    });

-  // Create a new installation token
-  const authentication = await auth({
-    type: "installation",
-    installationId: installation.id,
-    repositoryNames: [repo],
-  });
+    // Get token for given repositories
+    authentication = await auth({
+      type: "installation",
+      installationId: response.data.id,
+      repositoryNames: parsedRepositoryNames.split(","),
+    });
+  } else {
+    // Otherwise get the installation for the owner, which can either be an organization or a user account
+    // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
+    const response = await request("GET /orgs/{org}/installation", {
+      org: parsedOwner,
+      headers: {
+        authorization: `bearer ${appAuthentication.token}`,
+      },
+    }).catch((error) => {
+      if (error.status !== 404) throw error;
+
+      // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app
+      return request("GET /users/{username}/installation", {
+        username: parsedOwner,
+        headers: {
+          authorization: `bearer ${appAuthentication.token}`,
+        },
+      });
+    });
+
+    // Get token for for all repositories of the given installation
+    authentication = await auth({
+      type: "installation",
+      installationId: response.data.id,
+    });
+  }

  // Register the token with the runner as a secret to ensure it is masked in logs
  core.setSecret(authentication.token);

  core.setOutput("token", authentication.token);
-
+  
  // Make token accessible to post function (so we can invalidate it)
  core.saveState("token", authentication.token);
 }