Generate Github self-hosted runner token automatically - github

I'm attempting to create a Terraform-integrated script that will create and configure a Google Cloud VM that will install Github Runner as self-hosted. The repository is under my workplace's 'organization' and it is closed to the public. Everything goes smoothly until I need to configure the runner. In repository instructions for creating self-hosted runner written as this:
# Create the runner and start the configuration experience
$ ./config.cmd --url https://github.com/my_work_place_organizaiton_name/repository_name --token ASZER2QS4UVEAL3YLMZ3DIMUIC
The issue is that, because it is an unattended script, it will run entirely on its own with no strings attached, and everything should be generated as automatically as possible. So I need a way to generate/retrieve this token ASZER2QS4UVEAL3YLMZ3DIMUIC automatically.
I think I found a way (correct me if I wrong) here: Create a registration token for an organization. So far so good. I managed to create a powershell script to execute all steps in new Github self-hosted runner until the step where I need to generate token. Once I run the command (even in Github CLI) I get an error back like this:
gh api --method POST -H "Accept: application/vnd.github+json" /orgs/my_work_place_organizaiton_name/actions/runners/registration-token
{
"message": "Must have admin rights to Repository.",
"documentation_url": "https://docs.github.com/rest/reference/actions#create-a-registration-token-for-an-organization"
}
gh: Must have admin rights to Repository. (HTTP 403)
gh: This API operation needs the "admin:org" scope. To request it, run: gh auth refresh -h github.com -s admin:org
I am an admin in this repository but not in the organization, and I am afraid that no one will grant me admin access to the organization, and even more, I cannot simply put admin:org credentials in some script - this is a "no go."
So, my question is, how can I fully automate the generation of this Github token (which is generated for everyone in the instructions page without any admin privileges)?

After a lot of try and catches it seems I found an answer. What is work for me is generating token for repository and not generating token for repository in organization.
According to Github documentation: Create a registration token for a repository this is a POST request you must send from Github CLI for example:
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
/repos/OWNER/REPO/actions/runners/registration-token
and according to documentation:
OWNER
string
Required
The account owner of the repository. The name is not case sensitive.
REPO
string
Required
The name of the repository. The name is not case sensitive.
So I put my organization name as an OWNER and not my username and voila ! it is worked !
so - instead sending request as:
/repos/my_user_name/REPO/actions/runners/registration-token
I send it as:
/repos/my_organization_name/REPO/actions/runners/registration-token
and immediately get a valid token back.

Related

Accessing another repository from within GitHub Actions without using PAT

Within a GitHub Actions workflow in repository A we are trying to download release assets from another private repository B. Therefore the runner (running in a workflow in repo A) needs to authenticate against repository B.
There seem to be 2 possible solutions for that:
Create a private access token (PAT)
Create a GitHub application and use that for authenticating
Since we do not want this setup to be dependent on individual users, option 1) seems like the wrong approach. But we somehow got stuck with option 2). What we did so far:
Create a GitHub application (not oauth, since it should be independent of the user)
Grant all permissions for repositories to this app
Install the app in our organisation
Generate an app private key and create a JWT token following the documentation here
Sending a curl request with this generated JWT token, like
curl -i -X POST \
-H "Authorization: Bearer YOUR_JWT" \
-H "Accept: application/vnd.github+json" \
https://api.github.com/app/installations/:installation_id/access_tokens
But this request always gives us a 401.
So first question is: are we on the right track here? Second question would be: how can we make this work?
It also puzzles us that we would have to re-create the JWT token with every workflow run (since we cannot use a long enough expiration time), and would rather like to have something that can be put into the secrets store of the workflow.

How to invite a user to a private github repo within an organisation using the command line

I am trying to add users to a private Github repo within an organisation. Starting from this post, I've simply changed the API endpoint to cope with organizations (as explained here), and I end up with the following command:
gh api orgs/MY_ORG/repos/MY_USER_NAME/MY_REPO/collaborators/COLLABORATOR_USER_NAME -f '{"permission":"maintain"}';
This command systematically returns a 404 error (note that I also get a 404 when I just try to check if a user has access to a repo, i.e. the GET version of the above command).
I also need to mention that this doesn't seem to be a trivial gh auth login issue since a command like gh repo create MY_ORG/MY_REPO works fine.
Here is also some technical details:
os: macosx 10.15.16
git: 2.24.3
gh: 1.1.0
I take the initiative to answer my own question here since after some investigations (thanks to mislav for his help) and trials and errors, I ve found the proper way to add collaborators to a GitHub repo within an organization with the CLI. I think it is worth posting it, hopefully this will help others.
Invite an outside collaborator to a repo within an organization
gh api -X PUT repos/:org/:repo/collaborators/:username -f permission=:perm
the -X PUT specifies that the request is a PUT and not a GET (default request). The repo's identifier is specified by :org/:repo (note that if the repo is not under an organization, the identifier will be :owner/:repo). The :perm argument indicates the type of access, the default value is push (see here)
So assume I want to provide admin access to jonsnow to the repo winterfell under the organization got, I will use the following command
gh api -X PUT repos/got/winterfell/collaborators/jonsnow -f permission=admin
Note that if you send an invite for the repo directly, the user will appear as an outside collaborator (not as an organization member)
Add a member to the organization and invite him to a repo
You just need to include the user as a member to the organisation beforehand with
gh api -X PUT /orgs/:org/memberships/:username -f role=:role
and then you can provide him access to a specific repo with the same command as above, i.e.
gh api -X PUT repos/:org/:repo/collaborators/:username -f permission=:perm
Note that the value for the various :role can be found here
You can set organization membership for a user
put /orgs/{org}/memberships/{username}
You can add a collaborator to a repo
put /repos/{owner}/{repo}/collaborators/{username}
But I don't think you can combine the two (add a collaborator to an org repo)
That is because that collaborator need to be a member of the organisation first (so receive and accept the invitation), before being added to a repository.

How to invite people to private GitHub repo through command line interface?

Usually one must click link "Invite teams or people" after accessing "https://github.com///settings/access" in a web browser.
But, I wish to do this through a command line interface, because I must invite
many persons. Is it possible?
You could use the GitHub API in order to add a collaborator
PUT /repos/:owner/:repo/collaborators/:username
See for instance here:
curl -H "Authorization: token YOUR_TOKEN" "https://api.github.com/repos/YOUR_USER_NAME/YOUR_REPO/collaborators/COLLABORATOR_USER_NAME" -X PUT -d '{"permission":"admin"}'
With permission level being one of:
pull - can pull, but not push to or administer this repository.
push - can pull and push, but not administer this repository.
admin - can pull, push and administer this repository.
maintain - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
triage - Recommended for contributors who need to proactively manage issues and pull requests without write access.
(default is "push")
Update Sept. 2020, considering GitHub CLI gh is now 1.0, it could be a good feature to add (a kind of gh repo invite)
In the meantime, you can use gh pi to make a similar API call, automatically authenticated, with -f to add POST fields.
gh api repos/YOUR_USER_NAME/YOUR_REPO/collaborators/COLLABORATOR_USER_NAME" -f '{"permission":"admin"}'
An alternative using hub:
1- Check all users with permissions in your repo:
hub api --flat 'repos/YOUR_USER_OR_ORGANIZATION_NAME/YOUR_REPO/collaborators' | grep -E 'login|permissions'
2- Give permission to an user :
hub api 'repos/YOUR_USER_OR_ORGANIZATION_NAME/YOUR_REPO/collaborators/COLLABORATOR_USER_NAME' -H X:PUT -H d:'{"permission":"admin"}'
You can use the github cli or call the github api directly through curl. In this example I add a member to a company repo using the github cli:
gh api "orgs/$target_repo/teams/$team/repos/$target_repo/$repo_new_name" -X PUT -f permission=admin
Also see the docs: https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions
For your situation you can use this endpoint:
https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator

Create github issue from travis.yaml

I am looking for some ways to create a github issue from travis.
I am calling some scripts in travis.yaml file and I need to create a github issue when travis is executed. I came across documents on calling github APIS using curl command.
Eg: curl -u $username -i -H "Content-Type: application/json" -X POST --data '{"title":"'$title'", "body":"'$body'"}' https://api.github.com/repos/$username/$repo_name/issues
Instead of username , since the build is triggered via travis, should I use github tokens? Is there any environment variable available which represents github token.
Found the answer myself. Create a github token using the github API and add that as ENV variable to your Travis CI settings.
This token can be used to perform the curl operation in travis shell script.
Helpful link : https://blogs.infosupport.com/accessing-githubs-rest-api-with-curl/

Github v3 API - create a REPO

I’m trying to use the Github v3 API - I already implemented the required OAuth flow and it works well.
Now I’m trying some of the Repos API endpoints (http://developer.github.com/v3/repos/).
So far, I’m able to get a List of my repos using: GET /user/repos
However, when I try to create a repo using POST /user/repos, I get a 404.
Any thoughts what I might be doing wrong?
Joubert
Can you please tell us how exactly you did the HTTP request? The 404 sounds like you were using a wrong path, probably. But to give a reliable answer instead a wild guess, we need to see your request, including how you are sending your token, just mask it with 'xxx' or something.
I'll show you in the meantime an example request, that is working:
curl -XPOST -H 'Authorization: token S3CR3T' https://api.github.com/user/repos -d '{"name":"my-new-repo","description":"my new repo description"}'
You would need to replace the OAuth token of course: S3CR3T
I had the same issue. The reason why you are getting a 404 with your oauth access token is that when you authorize to github you need to also additionally pass the scopes you want. For example, in the header you should see "X-OAuth-Scopes: repo, user", which means this user has read/write access to his profile and repositories. Once you have set the correct scopes you should be able to do POST/PUT requests just fine.
To see whether or not you have the correct permissions. You can do something like the following. Substitute the XXXXXXX with your access token.
curl -I https://api.github.com/user?access_token=XXXXXXXX
For creating repositories as a user you can use an personal access token and basic auth, which can be much simpler when you are fluffing around on the command line and have 2FA enabled.
curl -d '{"name":"test"}' -u githubuser:personaccesstoken https://api.github.com/user/repos
Create a personal access token here https://github.com/settings/tokens and make sure it has the 'repo' scope.
This script lets you read in in the token and project name as variables so you can use it in a script
#!/usr/bin/env bash -u
#
TOKEN=`cat token_file`
PROJECT=myproject
curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d '{"name": "'"$PROJECT"'"}' https://api.github.com/user/repos?access_token=$TOKEN