create-github-app-token icon indicating copy to clipboard operation
create-github-app-token copied to clipboard
verified publisher icon actions

Failing to get installation id on self-hosted runner on github enterprise

Open slarwise opened this issue 1 year ago • 2 comments

When using actions/create-github-app-token@v1 on a self-hosted runner on github enterprise, the action fails to get the installation id. Doing the manual steps with curl works, following the docs here.

Do you know if there is a difference between the manual way and the one using this action? The github enterprise server is running version v3.14.2.

on:
  pull_request:
    branches:
      - main
  workflow_dispatch: {}
jobs:
  get-app-token-with-action:
    runs-on: self-hosted
    steps:
      - uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.DEBUG_APP_ID }}
          private-key: ${{ secrets.DEBUG_APP_PRIVATE_KEY }}
          owner: myorg
  get-app-token-manually:
    runs-on: self-hosted
    steps:
      - run: |
          # https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#example-using-bash-to-generate-a-jwt
          set -o pipefail

          app_id="${{ secrets.DEBUG_APP_ID }}"
          pem="${{ secrets.DEBUG_APP_PRIVATE_KEY }}"

          now=$(date +%s)
          iat=$((${now} - 60))  # Issues 60 seconds in the past
          exp=$((${now} + 600)) # Expires 10 minutes in the future

          b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }

          header_json='{
              "typ":"JWT",
              "alg":"RS256"
          }'
          header=$(echo -n "${header_json}" | b64enc)

          payload_json="{
              \"iat\":${iat},
              \"exp\":${exp},
              \"iss\":\"${app_id}\"
          }"
          payload=$(echo -n "${payload_json}" | b64enc)

          header_payload="${header}"."${payload}"
          signature=$(
              openssl dgst -sha256 -sign <(echo -n "${pem}") \
                  <(echo -n "${header_payload}") | b64enc
          )

          jwt="${header_payload}"."${signature}"

          # https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app#generating-an-installation-access-token
          installation_id="$(curl https://github.myorg.com/api/v3/orgs/myorg/installation --oauth2-bearer "$jwt" | jq -r .id)"
          curl --request POST \
              --url "https://github.myorg.com/api/v3/app/installations/${installation_id}/access_tokens" \
              --oauth2-bearer "$jwt" \
              --header "Accept: application/vnd.github+json" \
              --header "X-GitHub-Api-Version: 2022-11-28"

Output of get-app-token-with-action:

repositories not set, creating token for all repositories for given owner "myorg"
Failed to create token for "myorg" (attempt 1): Request was cancelled.
Failed to create token for "myorg" (attempt 2): Request was cancelled.
Failed to create token for "myorg" (attempt 3): Request was cancelled.
Failed to create token for "myorg" (attempt 4): Request was cancelled.
RequestError [HttpError]: Request was cancelled.
    at fetchWrapper (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:37063:26)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async hook4 (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39476:18)
    at async getTokenFromOwner (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39769:20)
    at async RetryOperation._fn (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39667:24) {
  status: 500,
  request: {
    method: 'GET',
    url: 'https://github.myorg.com/api/v3/orgs/myorg/installation',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'actions/create-github-app-token',
      authorization: 'bearer [REDACTED]'
    },
    request: {
      fetch: [Function: proxyFetch],
      hook: [Function: bound hook4] AsyncFunction
    }
  },
  response: undefined,
  cause: TypeError: fetch failed
      at fetch (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:36589:17)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async fetchWrapper (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:37037:21)
      at async hook4 (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39476:18)
      at async getTokenFromOwner (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39769:20)
      at async RetryOperation._fn (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39667:24) {
Error: use]: DOMException [Error]: Request was cancelled.
        at new DOMException (node:internal/per_context/domexception:53:5)
        at makeAppropriateNetworkError (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:30488:182)
        at httpNetworkFetch (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:32166:18)
        at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
        at async httpNetworkOrCacheFetch (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:32042:33)
        at async httpFetch (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:31877:37)
        at async /runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:31643:20
        at async mainFetch (/runner/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:31633:20) {
      cause: [RequestAbortedError]
    }
  },
  attemptNumber: 4,
  retriesLeft: 0
}

Output of get-app-token-manually:

Run # https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#example-using-bash-to-generate-a-jwt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  1862  100  1862    0     0  20688      0 --:--:-- --:--:-- --:--:-- 20688
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   207  100   207    0     0   2029      0 --:--:-- --:--:-- --:--:--  2009
100   207  100   207    0     0   2009      0 --:--:-- --:--:-- --:--:--  2009
{
  "token": "***",
  "expires_at": "2024-***-04T13:50:37Z",
  "permissions": {
    "contents": "read",
    "metadata": "read"
  },
  "repository_selection": "selected"
}

slarwise avatar Nov 04 '24 15:11 slarwise

This is an issue, since the version 1.8.0, how the proxy function is implemented. After some debugging, we had to revert to 1.7.0 for now.

bacterik avatar Jan 08 '25 11:01 bacterik

That's good to know, thanks for sharing @bacterik. We will try to reproduce the problem on our side

gr2m avatar Apr 29 '25 19:04 gr2m

This issue has been marked https://github.com/actions/create-github-app-token/labels/stale because it has been open for 180 days with no activity. Please close this issue if it is no longer needed. If this issue is still relevant and you would like it to remain open, simply update it within the next 60 days.

github-actions[bot] avatar Nov 22 '25 08:11 github-actions[bot]

This is not stale, and is still an issue for us.

ahockersten avatar Nov 24 '25 14:11 ahockersten