update docker file and python deps

.github/workflows/test.yaml

@@ -1,55 +1,36 @@
-name: Tests
-on: [push]
+name: action-tests
 
-jobs:
-  build-temp-container:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@master
-
-      - name: build-temp-container
-        run: |
-          echo ${PASSWORD} | docker login -u $USERNAME --password-stdin
-          docker build -t hamelsmu/app-token:temp -f prebuild.Dockerfile .
-          docker push hamelsmu/app-token:temp
-        env:
-          USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches: [ main ]
 
-  test-container:
-    needs: [build-temp-container]
+jobs:
+  test_defaults:
     runs-on: ubuntu-latest
+    name: Test alpine python pkgs
     steps:
-
-    - uses: actions/checkout@master
-
-    # - name: Setup tmate session
-    #   uses: mxschmitt/action-tmate@v1
-    #   env:
-    #     INPUT_APP_PEM: ${{ secrets.APP_PEM }}
-    #     INPUT_APP_ID: ${{ secrets.APP_ID }}
+      # To use this repository's private action,
+      # you must check out the repository
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
-    # tested with https://github.com/apps/fastpages-chatops
-    - name: test
-      id: test
-      uses: docker://hamelsmu/app-token:temp
-      env:
-        INPUT_APP_PEM: ${{ secrets.APP_PEM }}
-        INPUT_APP_ID: ${{ secrets.APP_ID }}
+      - name: Environment
+        run: |
+          bash -c set
 
-    - name: pre-build action image
-      run: |
-        cd $GITHUB_WORKSPACE
-        echo ${PASSWORD} | docker login -u $USERNAME --password-stdin
-        docker build -t hamelsmu/app-token -f prebuild.Dockerfile .
-        docker push hamelsmu/app-token 
-      env:
-        USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Get token local action
+        id: get_token
+        uses: ./  # Uses an action in the root directory
+        with:
+          APP_ID: ${{ vars.VCT_GHT_APP_ID }}
+          APP_PEM: ${{ secrets.VCT_GHT_APP_PEM }}
 
-       # tested withhttps://github.com/apps/fastpages-chatops
-    - name: final-test
-      uses: machine-learning-apps/actions-app-token@master
-      with:
-        APP_PEM: ${{ secrets.APP_PEM }}
-        APP_ID: ${{ secrets.APP_ID }}
+      - name: Check App Installation Token
+        run: |
+          echo "This token is masked: ${TOKEN}"
+        env:
+          TOKEN: ${{ steps.get_token.outputs.app_token }}

.gitignore

@@ -0,0 +1,133 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# user/env/test bits
+pem.txt
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+.idea

.pre-commit-config.yaml

@@ -0,0 +1,65 @@
+# To install the git pre-commit hook run:
+#   pre-commit install
+# To update the pre-commit hooks run:
+#   pre-commit install-hooks
+exclude: '^(.tox/|.*\.sh$)'
+repos:
+  - repo: meta
+    hooks:
+      - id: check-useless-excludes
+      - id: check-hooks-apply
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-ast
+      - id: check-builtin-literals
+      - id: check-merge-conflict
+      - id: debug-statements
+      - id: detect-private-key
+      - id: fix-encoding-pragma
+        args: ['--remove']
+      - id: mixed-line-ending
+        args: [--fix=lf]
+      #- id: check-json
+      - id: check-yaml
+      #  exclude: '.pep8speaks.yml'
+
+  - repo: https://github.com/ambv/black
+    rev: 24.2.0
+    hooks:
+      - id: black
+        name: "Format code"
+        language_version: python3
+
+  - repo: https://github.com/myint/autoflake
+    rev: v2.3.1
+    hooks:
+      - id: autoflake
+        files: token_getter.py
+        args:
+          - --in-place
+          - --remove-all-unused-imports
+          - --remove-duplicate-keys
+          - --remove-unused-variables
+
+  - repo: https://github.com/PyCQA/flake8
+    rev: 7.0.0
+    hooks:
+      - id: flake8
+        args: ["--max-line-length=102"]
+        additional_dependencies: ["flake8-bugbear"]
+        files: token_getter.py
+
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.8
+    hooks:
+      - id: bandit
+        args: ["-ll"]
+        files: token_getter.py
+
+  #- repo: https://github.com/lovesegfault/beautysh
+    #rev: v6.2.1
+    #hooks:
+      #- id: beautysh

.whitesource

@@ -5,4 +5,4 @@
   "issueSettings": {
     "minSeverityLevel": "LOW"
   }
-}
+}

Dockerfile

@@ -0,0 +1,13 @@
+FROM python:3.9-alpine3.16
+
+RUN apk --no-cache add git bash
+
+ADD entrypoint.sh /
+ADD token_getter.py /
+ADD requirements.txt /
+
+RUN pip install --no-cache-dir -r /requirements.txt
+
+RUN chmod u+x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -1,4 +1,4 @@
-![Actions Status](https://github.com/machine-learning-apps/actions-app-token/workflows/Tests/badge.svg)
+![Actions Status](https://github.com/VCTLabs/actions-app-token/workflows/Tests/badge.svg)
 
 # Impersonate Your GitHub App In A GitHub Action
 
@@ -9,13 +9,13 @@ This action helps you retrieve an authenticated app token with a GitHub app id a
 
 Actions have certain limitations.  Many of these limitations are for security and stability reasons, however not all of them are.  Some examples where you might want to impersonate a GitHub App temporarily in your workflow:
 
-- You want an [event to trigger a workflow](https://help.github.com/en/articles/events-that-trigger-workflows) on a specific ref or branch in a way that is not natively supported by Actions.  For example, a pull request comment fires the [issue_comment event](https://help.github.com/en/articles/events-that-trigger-workflows#issue-comment-event-issue_comment) which is sent to the default branch and not the PR's branch.  You can temporarily impersonate a GitHub App to make an event, such as a [label a pull_request](https://help.github.com/en/articles/events-that-trigger-workflows#pull-request-event-pull_request) to trigger a workflow on the right branch. This takes advantage of the fact that Actions cannot create events that trigger workflows, however other Apps can. 
+- You want an [event to trigger a workflow](https://help.github.com/en/articles/events-that-trigger-workflows) on a specific ref or branch in a way that is not natively supported by Actions.  For example, a pull request comment fires the [issue_comment event](https://help.github.com/en/articles/events-that-trigger-workflows#issue-comment-event-issue_comment) which is sent to the default branch and not the PR's branch.  You can temporarily impersonate a GitHub App to make an event, such as a [label a pull_request](https://help.github.com/en/articles/events-that-trigger-workflows#pull-request-event-pull_request) to trigger a workflow on the right branch. This takes advantage of the fact that Actions cannot create events that trigger workflows, however other Apps can.
 
 # Usage
 
 1. If you do not already own a GitHub App you want to impersonate, [create a new GitHub App](https://developer.github.com/apps/building-github-apps/creating-a-github-app/) with your desired permissions.  If only creating a new app for the purposes of impersonation by Actions, you do not need to provide a `Webhook URL or Webhook Secret`
 
-2. Install the App on your repositories. 
+2. Install the App on your repositories.
 
 3. See [action.yml](action.yml) for the api spec.
 
@@ -33,7 +33,7 @@ steps:
 - name: Get App Installation Token
   run: |
     echo "This token is masked: ${TOKEN}"
-  env: 
+  env:
     TOKEN: ${{ steps.get_token.outputs.app_token }}
 ```
 
@@ -46,7 +46,7 @@ cat your_app_key.pem | base64 -w 0 && echo
 
 ## Mandatory Inputs
 
-- `APP_PEM`: description: string version of your PEM file used to authenticate as a GitHub App. 
+- `APP_PEM`: description: string version of your PEM file used to authenticate as a GitHub App.
 
 - `APP_ID`: your GitHub App ID.
 

action.yml

@@ -6,7 +6,7 @@ inputs:
     description: a base64 encoded string version of your PEM file used to authenticate as a GitHub App.  You can apply this encoding in the terminal `cat key.pem | base64`
     required: true
   APP_ID:
-    description: you GITHUB App ID.
+    description: your GITHUB App ID.
     required: true
 outputs:
   app_token:
@@ -16,4 +16,4 @@ branding:
   icon: 'unlock'
 runs:
   using: 'docker'
-  image: 'docker://hamelsmu/app-token'
+  image: 'Dockerfile'

entrypoint.sh

@@ -1,4 +1,5 @@
-#!/bin/bash
+#! /usr/bin/env bash
 
 echo $INPUT_APP_PEM | base64 -d > pem.txt
-python /app/token_getter.py
+#echo $INPUT_APP_PEM > pem.txt
+python token_getter.py

requirements.txt

@@ -0,0 +1,5 @@
+#cryptography==42.0.5
+github3.py==4.0.1
+#jwcrypto==1.5.6
+#pyjwt==2.8.0
+jwt==1.3.1