feat: Add support to authentication via GitHub Apps

.github/workflows/trivy.yml

@@ -24,13 +24,13 @@ jobs:
     steps:
 
       - name: Checkout code
-        uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Docker meta
-        uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         id: meta
         with:
           images: |
@@ -39,7 +39,7 @@ jobs:
             type=sha,enable=true,format=long
 
       - name: Build Docker image
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: .
           load: true
@@ -51,7 +51,7 @@ jobs:
           platforms: linux/amd64
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # v0.17.0
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
         with:
           image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}'
           format: 'sarif'
@@ -60,6 +60,6 @@ jobs:
           timeout: '10m0s'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@592977e6ae857384aa79bb31e7a1d62d63449ec5 # v2.16.3
+        uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
         with:
           sarif_file: 'trivy-results.sarif'

github-runner-entrypoint.sh

@@ -62,7 +62,7 @@ if [ -n "$GITHUB_REPOSITORY" ] && [ -n "$GITHUB_TOKEN" ]; then
   ./run.sh
   echo "🚀 Executing GitHub Runner for $GITHUB_REPOSITORY"
 
-else
+elif [ -n "$GITHUB_PAT" ]; then
 
   # Retrieve a short lived runner registration token using the PAT
   REGISTRATION_TOKEN="$(curl -X POST -fsSL \
@@ -86,4 +86,89 @@ else
   export GITHUB_PAT=_REDACTED_
   export REGISTRATION_TOKEN=_REDACTED_
 
+elif [ -n "$GITHUB_APP_ID" ] && [ -n "$GITHUB_APP_KEY" ] && [ -n "$GITHUB_APP_INSTALLATION_ID" ] && [ -n "$REGISTRATION_TOKEN_API_URL" ] && [ -n "$REPO_URL" ]; then
+
+  app_id="$GITHUB_APP_ID"
+  pem_path="$(mktemp /tmp/github-app-key.XXXXXX.pem)"
+  chmod 600 "$pem_path"
+  trap 'rm -f "$pem_path"' EXIT INT TERM HUP
+  printf '%b\n' "$GITHUB_APP_KEY" > "$pem_path"
+
+  now=$(date +%s)
+  iat=$((${now} - 60)) # Issues 60 seconds in the past
+  exp=$((${now} + 600)) # Expires 10 minutes in the future
+
+  b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
+
+  header_json='{
+      "typ":"JWT",
+      "alg":"RS256"
+  }'
+  # Header encode
+  header=$( echo -n "${header_json}" | b64enc )
+
+  payload_json="{
+      \"iat\":${iat},
+      \"exp\":${exp},
+      \"iss\":\"${app_id}\"
+  }"
+  # Payload encode
+  payload=$( echo -n "${payload_json}" | b64enc )
+
+  # Signature
+  header_payload="${header}"."${payload}"
+  signature=$(
+      openssl dgst -sha256 -sign "${pem_path}" \
+      <(echo -n "${header_payload}") | b64enc
+  )
+
+  # Create JWT
+  JWT="${header_payload}"."${signature}"
+
+  ACCESS_TOKEN="$(curl -fsSL --request POST \
+    --header 'Accept: application/vnd.github+json' \
+    --header "Authorization: Bearer $JWT" \
+    --header 'X-GitHub-Api-Version: 2022-11-28' \
+    "https://api.github.com/app/installations/$GITHUB_APP_INSTALLATION_ID/access_tokens" \
+    | jq -r '.token')"
+
+  if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+    echo "❌ Failed to retrieve GitHub App access token"
+    exit 1
+  fi
+
+  # Retrieve a short lived runner registration token using the ACCESS_TOKEN
+  REGISTRATION_TOKEN="$(curl -X POST -fsSL \
+    -H 'Accept: application/vnd.github.v3+json' \
+    -H "Authorization: Bearer $ACCESS_TOKEN" \
+    -H 'X-GitHub-Api-Version: 2022-11-28' \
+    "$REGISTRATION_TOKEN_API_URL" \
+    | jq -r '.token')"
+
+  #<https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners>
+  ./config.sh \
+    --url "${REPO_URL}" \
+    --token "${REGISTRATION_TOKEN}" \
+    --unattended \
+    --disableupdate \
+    --ephemeral \
+    --replace \
+    --labels "$LABELS" \
+    && ./run.sh
+
+  export signature=_REDACTED_
+  export JWT=_REDACTED_
+  export GITHUB_APP_KEY=_REDACTED_
+  export ACCESS_TOKEN=_REDACTED_
+  export REGISTRATION_TOKEN=_REDACTED_
+
+else
+
+  echo "❌ No valid authentication method configured."
+  echo "Please set one of the following:"
+  echo "  - GITHUB_REPOSITORY and GITHUB_TOKEN (legacy)"
+  echo "  - GITHUB_PAT, REGISTRATION_TOKEN_API_URL, and REPO_URL"
+  echo "  - GITHUB_APP_ID, GITHUB_APP_KEY, GITHUB_APP_INSTALLATION_ID, REGISTRATION_TOKEN_API_URL, and REPO_URL"
+  exit 1
+
 fi