feat: Add support to authentication via GitHub Apps (#70)

Krusty93 · web-flow · commit 395f650f4703 · 2026-02-13T14:37:10.000+01:00
diff --git a/github-runner-entrypoint.sh b/github-runner-entrypoint.sh
@@ -62,7 +62,7 @@ if [ -n "$GITHUB_REPOSITORY" ] && [ -n "$GITHUB_TOKEN" ]; then
   ./run.sh
   echo "🚀 Executing GitHub Runner for $GITHUB_REPOSITORY"
 
-else
+elif [ -n "$GITHUB_PAT" ]; then
 
   # Retrieve a short lived runner registration token using the PAT
   REGISTRATION_TOKEN="$(curl -X POST -fsSL \
@@ -86,4 +86,89 @@ else
   export GITHUB_PAT=_REDACTED_
   export REGISTRATION_TOKEN=_REDACTED_
 
+elif [ -n "$GITHUB_APP_ID" ] && [ -n "$GITHUB_APP_KEY" ] && [ -n "$GITHUB_APP_INSTALLATION_ID" ] && [ -n "$REGISTRATION_TOKEN_API_URL" ] && [ -n "$REPO_URL" ]; then
+
+  app_id="$GITHUB_APP_ID"
+  pem_path="$(mktemp /tmp/github-app-key.XXXXXX.pem)"
+  chmod 600 "$pem_path"
+  trap 'rm -f "$pem_path"' EXIT INT TERM HUP
+  printf '%b\n' "$GITHUB_APP_KEY" > "$pem_path"
+
+  now=$(date +%s)
+  iat=$((${now} - 60)) # Issues 60 seconds in the past
+  exp=$((${now} + 600)) # Expires 10 minutes in the future
+
+  b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
+
+  header_json='{
+      "typ":"JWT",
+      "alg":"RS256"
+  }'
+  # Header encode
+  header=$( echo -n "${header_json}" | b64enc )
+
+  payload_json="{
+      \"iat\":${iat},
+      \"exp\":${exp},
+      \"iss\":\"${app_id}\"
+  }"
+  # Payload encode
+  payload=$( echo -n "${payload_json}" | b64enc )
+
+  # Signature
+  header_payload="${header}"."${payload}"
+  signature=$(
+      openssl dgst -sha256 -sign "${pem_path}" \
+      <(echo -n "${header_payload}") | b64enc
+  )
+
+  # Create JWT
+  JWT="${header_payload}"."${signature}"
+
+  ACCESS_TOKEN="$(curl -fsSL --request POST \
+    --header 'Accept: application/vnd.github+json' \
+    --header "Authorization: Bearer $JWT" \
+    --header 'X-GitHub-Api-Version: 2022-11-28' \
+    "https://api.github.com/app/installations/$GITHUB_APP_INSTALLATION_ID/access_tokens" \
+    | jq -r '.token')"
+
+  if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+    echo "❌ Failed to retrieve GitHub App access token"
+    exit 1
+  fi
+
+  # Retrieve a short lived runner registration token using the ACCESS_TOKEN
+  REGISTRATION_TOKEN="$(curl -X POST -fsSL \
+    -H 'Accept: application/vnd.github.v3+json' \
+    -H "Authorization: Bearer $ACCESS_TOKEN" \
+    -H 'X-GitHub-Api-Version: 2022-11-28' \
+    "$REGISTRATION_TOKEN_API_URL" \
+    | jq -r '.token')"
+
+  #<https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners>
+  ./config.sh \
+    --url "${REPO_URL}" \
+    --token "${REGISTRATION_TOKEN}" \
+    --unattended \
+    --disableupdate \
+    --ephemeral \
+    --replace \
+    --labels "$LABELS" \
+    && ./run.sh
+
+  export signature=_REDACTED_
+  export JWT=_REDACTED_
+  export GITHUB_APP_KEY=_REDACTED_
+  export ACCESS_TOKEN=_REDACTED_
+  export REGISTRATION_TOKEN=_REDACTED_
+
+else
+
+  echo "❌ No valid authentication method configured."
+  echo "Please set one of the following:"
+  echo "  - GITHUB_REPOSITORY and GITHUB_TOKEN (legacy)"
+  echo "  - GITHUB_PAT, REGISTRATION_TOKEN_API_URL, and REPO_URL"
+  echo "  - GITHUB_APP_ID, GITHUB_APP_KEY, GITHUB_APP_INSTALLATION_ID, REGISTRATION_TOKEN_API_URL, and REPO_URL"
+  exit 1
+
 fi
