|
| 1 | +# Login to GitHub - Composite Action |
| 2 | +# |
| 3 | +# Mints a GitHub App installation access token using Azure Key Vault signing. |
| 4 | +# This action wraps eng/common/scripts/login-to-github.ps1 for use in GitHub |
| 5 | +# Actions workflows. The same script is used by Azure DevOps pipelines via |
| 6 | +# eng/common/pipelines/templates/steps/login-to-github.yml. |
| 7 | +# |
| 8 | +# IMPORTANT: This action requires Azure CLI to be pre-authenticated. |
| 9 | +# You must call azure/login BEFORE this action in your workflow. |
| 10 | +# This is because composite actions cannot call azure/login internally. |
| 11 | +# |
| 12 | +# Usage (single owner): |
| 13 | +# jobs: |
| 14 | +# my-job: |
| 15 | +# # An environment is required for OIDC (federated credential) login. |
| 16 | +# # Work with EngSys to configure the environment with the federated |
| 17 | +# # credential for the AzureSDKEngKeyVault Secrets service connection. |
| 18 | +# environment: AzureSDKEngKeyVault |
| 19 | +# permissions: |
| 20 | +# id-token: write # Required for azure/login OIDC |
| 21 | +# steps: |
| 22 | +# # Step 1: Authenticate to Azure (required before this action) |
| 23 | +# - uses: azure/login@v2 |
| 24 | +# with: |
| 25 | +# client-id: 5786d1fb-187e-4ca9-9a81-ab89ea278986 |
| 26 | +# tenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 |
| 27 | +# subscription-id: a18897a6-7e44-457d-9260-f2854c0aca42 |
| 28 | +# |
| 29 | +# # Step 2: Mint GitHub App token |
| 30 | +# - uses: ./eng/common/actions/login-to-github |
| 31 | +# with: |
| 32 | +# token-owners: Azure |
| 33 | +# |
| 34 | +# # Step 3: Use the token (available as env var in all subsequent steps) |
| 35 | +# - run: gh pr list --repo Azure/azure-sdk-tools |
| 36 | +# env: |
| 37 | +# GH_TOKEN: ${{ env.GH_TOKEN }} |
| 38 | +# |
| 39 | +# Usage (multiple owners): |
| 40 | +# - uses: ./eng/common/actions/login-to-github |
| 41 | +# with: |
| 42 | +# token-owners: Azure,azure-sdk,MicrosoftDocs |
| 43 | +# |
| 44 | +# - run: gh pr list --repo Azure/azure-sdk-tools |
| 45 | +# env: |
| 46 | +# GH_TOKEN: ${{ env.GH_TOKEN_Azure }} |
| 47 | +# |
| 48 | +# Tokens are exported to GITHUB_ENV so all subsequent steps can reference |
| 49 | +# them as ${{ env.GH_TOKEN }} (single owner) or ${{ env.GH_TOKEN_<Owner> }} |
| 50 | +# (multiple owners). This matches the Azure DevOps behavior where tokens |
| 51 | +# are set as pipeline variables. |
| 52 | + |
| 53 | +name: 'Login to GitHub' |
| 54 | +description: 'Mint a GitHub App installation token via Azure Key Vault signing' |
| 55 | + |
| 56 | +inputs: |
| 57 | + token-owners: |
| 58 | + description: > |
| 59 | + Comma-separated list of GitHub organizations or users for which to |
| 60 | + obtain installation tokens (e.g. "Azure" or "Azure,azure-sdk"). |
| 61 | + required: false |
| 62 | + default: 'Azure' |
| 63 | + variable-name-prefix: |
| 64 | + description: > |
| 65 | + Prefix for the exported variable name. With a single owner the |
| 66 | + variable is named exactly this (default GH_TOKEN). With multiple |
| 67 | + owners each variable is named <prefix>_<owner>. |
| 68 | + required: false |
| 69 | + default: 'GH_TOKEN' |
| 70 | + key-vault-name: |
| 71 | + description: 'Azure Key Vault name containing the signing key' |
| 72 | + required: false |
| 73 | + default: 'azuresdkengkeyvault' |
| 74 | + key-name: |
| 75 | + description: 'Name of the RSA key in Key Vault' |
| 76 | + required: false |
| 77 | + default: 'azure-sdk-automation' |
| 78 | + app-id: |
| 79 | + description: 'GitHub App numeric ID' |
| 80 | + required: false |
| 81 | + default: '1086291' |
| 82 | + |
| 83 | +runs: |
| 84 | + using: 'composite' |
| 85 | + steps: |
| 86 | + - shell: pwsh |
| 87 | + env: |
| 88 | + INPUT_TOKEN_OWNERS: ${{ inputs.token-owners }} |
| 89 | + INPUT_VARIABLE_NAME_PREFIX: ${{ inputs.variable-name-prefix }} |
| 90 | + INPUT_KEY_VAULT_NAME: ${{ inputs.key-vault-name }} |
| 91 | + INPUT_KEY_NAME: ${{ inputs.key-name }} |
| 92 | + INPUT_APP_ID: ${{ inputs.app-id }} |
| 93 | + ACTION_PATH: ${{ github.action_path }} |
| 94 | + run: | |
| 95 | + $scriptPath = Join-Path $env:ACTION_PATH ".." ".." "scripts" "login-to-github.ps1" |
| 96 | + $owners = $env:INPUT_TOKEN_OWNERS -split ',' | ForEach-Object { $_.Trim() } |
| 97 | + & $scriptPath ` |
| 98 | + -KeyVaultName $env:INPUT_KEY_VAULT_NAME ` |
| 99 | + -KeyName $env:INPUT_KEY_NAME ` |
| 100 | + -GitHubAppId $env:INPUT_APP_ID ` |
| 101 | + -InstallationTokenOwners $owners ` |
| 102 | + -VariableNamePrefix $env:INPUT_VARIABLE_NAME_PREFIX |
0 commit comments