Move Zapier security workflow to a GitHub App #2575

trask · 2025-02-16T21:53:23Z

This should be more secure, and also make it clearer to maintainers that it isn't @trask adding them as collaborators (since it's been using my PAT since #2420).

It took me a while to figure out the JWT signing in Zapier since only the standard node.js library is available, so adding the script here to at least dump it somewhere for tracking. Will discuss with Project Infra SIG where to store it long-term.

GitHub App JWT signing under Zapier library restrictions

const crypto = require('crypto');
const signatureFunction = crypto.createSign('RSA-SHA256');

function base64UrlEncoded(obj) {
    const base64 = Buffer.from(JSON.stringify(obj)).toString('base64');
	return base64ToBase64UrlEncoded(base64);
}

function base64ToBase64UrlEncoded(base64) {
    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
}

const headerObj = {
    alg: 'RS256',
    typ: 'JWT',
};

const payloadObj = {
    iat: Math.round(Date.now() / 1000),
    exp: Math.round(Date.now() / 1000) + 120, // 2 minutes from now
    iss: inputData.clientId
};

const header = base64UrlEncoded(headerObj);
const payload = base64UrlEncoded(payloadObj);

signatureFunction.write(header + '.' + payload);
signatureFunction.end();

const signature = base64ToBase64UrlEncoded(signatureFunction.sign(inputData.privateKey, 'base64'));

const jwt = header + "." + payload + "." + signature

var response = await fetch('https://api.github.com/app/installations', {
    headers: {
        'Authorization': `Bearer ${jwt}`,
        'Accept': 'application/vnd.github+json'
    }
});

var body = await response.json();

response = await fetch(body[0].access_tokens_url, {
    method: 'POST',
    headers: {
        'Authorization': `Bearer ${jwt}`,
        'Accept': 'application/vnd.github+json'
    }
});

body = await response.json();

var token = body.token;

response = await fetch(inputData.repositoryTeamsUrl, {
    headers: {
        'Authorization': `Bearer ${token}`,
        'Accept': 'application/vnd.github+json'
    }
});

body = await response.json();

const maintainer_team_slugs = body.filter(team => team.permissions.maintain)
                                  .map(team => team.slug);

response = await fetch(inputData.repositoryAdvisoryUrl, {
    method: 'PATCH',
    headers: {
        'Authorization': `Bearer ${token}`,
        'Accept': 'application/vnd.github+json'
    },
    body: JSON.stringify({
        "collaborating_teams": maintainer_team_slugs
    })
})

body = await response.json();

return {
    status: response.status,
    body: body
}

The text was updated successfully, but these errors were encountered:

trask · 2025-02-18T21:33:38Z

Considering to create sig-project-infra repo

trask added this to Project Infrastructure (Tooling) SIG Feb 16, 2025

svrnm added area/project-infra Non-GitHub project infra (DockerHub, etc.) area/security labels Feb 17, 2025

trask self-assigned this Feb 18, 2025

trask added the triage:deciding This issue needs more discussion or consideration. label Feb 18, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Move Zapier security workflow to a GitHub App #2575

Move Zapier security workflow to a GitHub App #2575

trask commented Feb 16, 2025 •

edited

Loading

trask commented Feb 18, 2025

Move Zapier security workflow to a GitHub App #2575

Move Zapier security workflow to a GitHub App #2575

Comments

trask commented Feb 16, 2025 • edited Loading

trask commented Feb 18, 2025

trask commented Feb 16, 2025 •

edited

Loading