Skip to content

manki-review/token-service

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
wrangler.toml
wrangler.toml
 
 

Repository files navigation

manki-token-service

Cloudflare Worker that issues GitHub App installation tokens to GitHub Actions workflows.

Workflows authenticate via GitHub's OIDC provider. The service verifies the OIDC token, dynamically looks up the app installation for the requested repository, and returns a scoped installation token.

How it works

  1. A GitHub Actions workflow requests an OIDC token with audience manki-api.dustinface.me
  2. The workflow POSTs to https://manki-api.dustinface.me/token with the OIDC token as a Bearer token and { owner, repo } in the body
  3. The service verifies the OIDC token against GitHub's JWKS and checks the repository claim matches
  4. It creates a GitHub App JWT, looks up the installation ID for the repository, and requests an installation token
  5. The installation token is returned to the workflow

Configuration

The following secrets must be set in the Cloudflare Worker environment:

Secret Description
APP_ID GitHub App ID for the manki-review app
APP_PRIVATE_KEY PEM private key for the GitHub App 
wrangler secret put APP_ID
wrangler secret put APP_PRIVATE_KEY

Development

npm install
npm run dev      # local dev server
npm run deploy   # deploy to Cloudflare

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages