Api: add endpoint for getting github app token

2025-12-20 09:14:22 +01:00 · 2025-07-11 05:01:27 +08:00
parent 85805d2c38
commit 1c4fd7f28f
8 changed files with 119 additions and 21 deletions
--- a/packages/function/package.json
+++ b/packages/function/package.json
@@ -8,5 +8,9 @@
    "@cloudflare/workers-types": "4.20250522.0",
    "typescript": "catalog:",
    "@types/node": "catalog:"
+  },
+  "dependencies": {
+    "@octokit/auth-app": "8.0.1",
+    "jose": "6.0.11"
  }
 }
--- a/packages/function/src/api.ts
+++ b/packages/function/src/api.ts
@@ -1,5 +1,8 @@
 import { DurableObject } from "cloudflare:workers"
 import { randomUUID } from "node:crypto"
+import { jwtVerify, createRemoteJWKSet } from "jose"
+import { createAppAuth } from "@octokit/auth-app"
+import { Resource } from "sst"

 type Env = {
  SYNC_SERVER: DurableObjectNamespace<SyncServer>
@@ -218,5 +221,42 @@ export default {
        },
      )
    }
+
+    if (request.method === "POST" && method === "exchange_github_app_token") {
+      const EXPECTED_AUDIENCE = "opencode-github-action"
+      const GITHUB_ISSUER = "https://token.actions.githubusercontent.com"
+      const JWKS_URL = `${GITHUB_ISSUER}/.well-known/jwks`
+
+      // get Authorization header
+      const authHeader = request.headers.get("Authorization")
+      const token = authHeader?.replace(/^Bearer /, "")
+      if (!token) return new Response("Error: authorization header is required", { status: 401 })
+
+      // verify token
+      const JWKS = createRemoteJWKSet(new URL(JWKS_URL))
+      try {
+        await jwtVerify(token, JWKS, {
+          issuer: GITHUB_ISSUER,
+          audience: EXPECTED_AUDIENCE,
+        })
+      } catch (err) {
+        console.error("Token verification failed:", err)
+        return new Response(JSON.stringify({ error: "Invalid or expired token" }), {
+          status: 403,
+          headers: { "Content-Type": "application/json" },
+        })
+      }
+
+      // Create app token
+      const auth = createAppAuth({
+        appId: Resource.GITHUB_APP_ID.value,
+        privateKey: Resource.GITHUB_APP_PRIVATE_KEY.value,
+      })
+      const appAuthentication = await auth({ type: "app" })
+
+      return new Response(JSON.stringify({ token: appAuthentication.token }), {
+        headers: { "Content-Type": "application/json" },
+      })
+    }
  },
 }
--- a/packages/function/sst-env.d.ts
+++ b/packages/function/sst-env.d.ts
@@ -6,20 +6,28 @@
 import "sst"
 declare module "sst" {
  export interface Resource {
-    Web: {
-      type: "sst.cloudflare.Astro"
-      url: string
+    "GITHUB_APP_ID": {
+      "type": "sst.sst.Secret"
+      "value": string
+    }
+    "GITHUB_APP_PRIVATE_KEY": {
+      "type": "sst.sst.Secret"
+      "value": string
+    }
+    "Web": {
+      "type": "sst.cloudflare.Astro"
+      "url": string
    }
  }
 }
-// cloudflare
-import * as cloudflare from "@cloudflare/workers-types"
+// cloudflare 
+import * as cloudflare from "@cloudflare/workers-types";
 declare module "sst" {
  export interface Resource {
-    Api: cloudflare.Service
-    Bucket: cloudflare.R2Bucket
+    "Api": cloudflare.Service
+    "Bucket": cloudflare.R2Bucket
  }
 }

 import "sst"
-export {}
+export {}