microsoft · freddydk · Nov 17, 2024 · Nov 17, 2024 · Nov 17, 2024 · Nov 17, 2024
@@ -19,7 +19,7 @@ $defaultCICDPushBranches = @( 'main', 'release/*', 'feature/*' )
 $defaultCICDPullRequestBranches = @( 'main' )
 $runningLocal = $local.IsPresent
 $defaultBcContainerHelperVersion = "preview" # Must be double quotes. Will be replaced by BcContainerHelperVersion if necessary in the deploy step - ex. "https://github.com/organization/navcontainerhelper/archive/refs/heads/branch.zip"
-$notSecretProperties = @("Scopes","TenantId","BlobName","ContainerName","StorageAccountName","ServerUrl","ppUserName")
+$notSecretProperties = @("Scopes","TenantId","BlobName","ContainerName","StorageAccountName","ServerUrl","ppUserName","GitHubAppClientId")
 
 $runAlPipelineOverrides = @(
     "DockerPull"
@@ -1315,12 +1315,13 @@ function CloneIntoNewFolder {
     $baseFolder = Join-Path ([System.IO.Path]::GetTempPath()) ([Guid]::NewGuid().ToString())
     New-Item $baseFolder -ItemType Directory | Out-Null
     Set-Location $baseFolder
-    $serverUri = [Uri]::new($env:GITHUB_SERVER_URL)
-    $serverUrl = "$($serverUri.Scheme)://$($actor):$($token)@$($serverUri.Host)/$($env:GITHUB_REPOSITORY)"
 
     # Environment variables for hub commands
     $env:GITHUB_USER = $actor
-    $env:GITHUB_TOKEN = $token
+    $env:GITHUB_TOKEN = GetRealToken -token $token
+
+    $serverUri = [Uri]::new($env:GITHUB_SERVER_URL)
+    $serverUrl = "$($serverUri.Scheme)://$($env:GITHUB_USER):$($env:GITHUB_TOKEN)@$($serverUri.Host)/$($env:GITHUB_REPOSITORY)"
 
     # Configure git
     invoke-git config --global user.email "[email protected]"

@@ -27,15 +27,12 @@ if ($update -eq 'Y') {
         throw "A personal access token with permissions to modify Workflows is needed. You must add a secret called GhTokenWorkflow containing a personal access token. You can Generate a new token from https://github.com/settings/tokens. Make sure that the workflow scope is checked."
     }
     else {
-        $token = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($token))
+        $token = GetRealToken -token ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($token)))
     }
 }
 
 # Use Authenticated API request to avoid the 60 API calls per hour limit
-$headers = @{
-    "Accept" = "application/vnd.github.baptiste-preview+json"
-    "Authorization" = "Bearer $token"
-}
+$headers = GetHeaders -token $token
 
 if (-not $templateUrl.Contains('@')) {
     $templateUrl += "@main"

@@ -7,7 +7,7 @@
 )
 
 function IsGitHubPagesAvailable() {
-    $headers = GetHeader -token $env:GITHUB_TOKEN
+    $headers = GetHeaders -token $env:GITHUB_TOKEN
     $url = "$($ENV:GITHUB_API_URL)/repos/$($ENV:GITHUB_REPOSITORY)/pages"
     try {
         Write-Host "Requesting GitHub Pages settings from GitHub"
@@ -20,7 +20,7 @@ function IsGitHubPagesAvailable() {
 }
 
 function GetGitHubEnvironments() {
-    $headers = GetHeader -token $env:GITHUB_TOKEN
+    $headers = GetHeaders -token $env:GITHUB_TOKEN
     $url = "$($ENV:GITHUB_API_URL)/repos/$($ENV:GITHUB_REPOSITORY)/environments"
     try {
         Write-Host "Requesting environments from GitHub"
@@ -36,7 +36,7 @@ function GetGitHubEnvironments() {
 function Get-BranchesFromPolicy($ghEnvironment) {
     if ($ghEnvironment) {
         # Environment is defined in GitHub - check protection rules
-        $headers = GetHeader -token $env:GITHUB_TOKEN
+        $headers = GetHeaders -token $env:GITHUB_TOKEN
         $branchPolicy = ($ghEnvironment.protection_rules | Where-Object { $_.type -eq "branch_policy" })
         if ($branchPolicy) {
             if ($ghEnvironment.deployment_branch_policy.protected_branches) {

@@ -25,10 +25,7 @@ function Get-ModifiedFiles {
 
     $url = "$($env:GITHUB_API_URL)/repos/$($env:GITHUB_REPOSITORY)/compare/$($ghEvent.pull_request.base.sha)...$($ghEvent.pull_request.head.sha)"
 
-    $headers = @{
-        "Authorization" = "token $token"
-        "Accept" = "application/vnd.github.baptiste-preview+json"
-    }
+    $headers = GetHeaders -token $token
 
     $response = (InvokeWebRequest -Headers $headers -Uri $url).Content | ConvertFrom-Json
 

@@ -501,7 +501,7 @@ function GetReleases {
     )
 
     Write-Host "Analyzing releases $api_url/repos/$repository/releases"
-    $releases = (InvokeWebRequest -Headers (GetHeader -token $token) -Uri "$api_url/repos/$repository/releases").Content | ConvertFrom-Json
+    $releases = (InvokeWebRequest -Headers (GetHeaders -token $token) -Uri "$api_url/repos/$repository/releases").Content | ConvertFrom-Json
     if ($releases.Count -gt 1) {
         # Sort by SemVer tag
         try {
@@ -556,7 +556,42 @@ function GetLatestRelease {
     $latestRelease
 }
 
-function GetHeader {
+function GetRealToken {
+    Param(
+        [string] $token
+    )
+
+    if (!($token.StartsWith("{"))) {
+        # not a json token
+        return $token
+    }
+    else {
+        try {
+            $json = $token | ConvertFrom-Json
+            $gitHubAppClientId = $json.GitHubAppClientId
+            $privateKey = $json.PrivateKey
+            Write-Host "Using GitHub App with ClientId $gitHubAppClientId for authentication"
+            $jwt = GenerateJwtForTokenRequest -gitHubAppClientId $gitHubAppClientId -privateKey $privateKey
+            $headers = @{
+                "Accept" = "application/vnd.github+json"
+                "Authorization" = "Bearer $jwt"
+                "X-GitHub-Api-Version" = "2022-11-28"
+            }
+            Write-Host "Get App Info"
+            $appinfo = Invoke-RestMethod -Method GET -UseBasicParsing -Headers $headers -Uri "$ENV:GITHUB_API_URL/repos/$ENV:GITHUB_REPOSITORY/installation"
+            Write-Host "Get Token Response"
+            $tokenResponse = Invoke-RestMethod -Method POST -UseBasicParsing -Headers $headers -Uri $appInfo.access_tokens_url
+            Write-Host "return token"
+            return $tokenResponse.token
+        }
+        catch {
+            # Not a json token
+            return $token
+        }
+    }
+}
+
+function GetHeaders {
     param (
         [string] $token,
         [string] $accept = "application/vnd.github+json",
@@ -567,9 +602,9 @@ function GetHeader {
         "X-GitHub-Api-Version" = $apiVersion
     }
     if (![string]::IsNullOrEmpty($token)) {
-        $headers["Authorization"] = "token $token"
+        $realToken = GetRealToken -token $token
+        $headers["Authorization"] = "token $realToken"
     }
-
     return $headers
 }
 
@@ -616,7 +651,7 @@ function GetReleaseNotes {
         $postParams["target_commitish"] = $target_commitish
     }
 
-    InvokeWebRequest -Headers (GetHeader -token $token) -Method POST -Body ($postParams | ConvertTo-Json) -Uri "$api_url/repos/$repository/releases/generate-notes"
+    InvokeWebRequest -Headers (GetHeaders -token $token) -Method POST -Body ($postParams | ConvertTo-Json) -Uri "$api_url/repos/$repository/releases/generate-notes"
 }
 
 function DownloadRelease {
@@ -636,7 +671,7 @@ function DownloadRelease {
     if ([string]::IsNullOrEmpty($token)) {
         $token = invoke-gh -silent -returnValue auth token
     }
-    $headers = GetHeader -token $token -accept "application/octet-stream"
+    $headers = GetHeaders -token $token -accept "application/octet-stream"
     foreach($project in $projects.Split(',')) {
         # GitHub replaces series of special characters with a single dot when uploading release assets
         $project = [Uri]::EscapeDataString($project.Replace('\','_').Replace('/','_').Replace(' ','.')).Replace('%2A','*').Replace('%3F','?').Replace('%','')
@@ -674,7 +709,7 @@ function CheckRateLimit {
         [string] $token = ''
     )
 
-    $headers = GetHeader -token $token
+    $headers = GetHeaders -token $token
     $rate = (InvokeWebRequest -Headers $headers -Uri "https://api.github.com/rate_limit").Content | ConvertFrom-Json
     $rate | ConvertTo-Json -Depth 99 | Out-Host
     $rate = $rate.rate
@@ -771,7 +806,7 @@ function CheckBuildJobsInWorkflowRun {
         [string] $workflowRunId
     )
 
-    $headers = GetHeader -token $token
+    $headers = GetHeaders -token $token
     $per_page = 100
     $page = 1
 
@@ -822,7 +857,7 @@ function FindLatestSuccessfulCICDRun {
         [string] $token
     )
 
-    $headers = GetHeader -token $token
+    $headers = GetHeaders -token $token
     $lastSuccessfulCICDRun = 0
     $per_page = 100
     $page = 1
@@ -899,7 +934,7 @@ function GetArtifactsFromWorkflowRun {
 
     Write-Host "Getting artifacts for workflow run $workflowRun, mask $mask, projects $projects and version $version"
 
-    $headers = GetHeader -token $token
+    $headers = GetHeaders -token $token
 
     $foundArtifacts = @()
     $per_page = 100
@@ -975,7 +1010,7 @@ function GetArtifacts {
     )
 
     $refname = $branch.Replace('/','_')
-    $headers = GetHeader -token $token
+    $headers = GetHeaders -token $token
     if ($version -eq 'latest') { $version = '*' }
 
     # For latest version, use the artifacts from the last successful CICD run
@@ -1082,7 +1117,7 @@ function DownloadArtifact {
     if ([string]::IsNullOrEmpty($token)) {
         $token = invoke-gh -silent -returnValue auth token
     }
-    $headers = GetHeader -token $token
+    $headers = GetHeaders -token $token
     $foldername = Join-Path $path $artifact.Name
     $filename = "$foldername.zip"
     InvokeWebRequest -Headers $headers -Uri $artifact.archive_download_url -OutFile $filename
@@ -1098,3 +1133,29 @@ function DownloadArtifact {
         return $filename
     }
 }
+
+function GenerateJwtForTokenRequest {
+    Param(
+        [string] $gitHubAppClientId,
+        [string] $privateKey
+    )
+
+    $header = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes((ConvertTo-Json -InputObject @{
+        alg = "RS256"
+        typ = "JWT"
+    }))).TrimEnd('=').Replace('+', '-').Replace('/', '_');
+
+    $payload = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes((ConvertTo-Json -InputObject @{
+        iat = [System.DateTimeOffset]::UtcNow.AddSeconds(-10).ToUnixTimeSeconds()
+        exp = [System.DateTimeOffset]::UtcNow.AddMinutes(10).ToUnixTimeSeconds()
+        iss = $gitHubAppClientId
+    }))).TrimEnd('=').Replace('+', '-').Replace('/', '_');
+    $signature = pwsh -command {
+        $rsa = [System.Security.Cryptography.RSA]::Create()
+        $privateKey = "$($args[1])"
+        $rsa.ImportFromPem($privateKey)
+        $signature = [Convert]::ToBase64String($rsa.SignData([System.Text.Encoding]::UTF8.GetBytes($args[0]), [System.Security.Cryptography.HashAlgorithmName]::SHA256, [System.Security.Cryptography.RSASignaturePadding]::Pkcs1)).TrimEnd('=').Replace('+', '-').Replace('/', '_')
+        Write-OutPut $signature
+    } -args "$header.$payload", $privateKey
+    return "$header.$payload.$signature"
+}
@@ -24,7 +24,7 @@ Set-Location -Path $location
 
 # Environment variables for hub commands
 $env:GITHUB_USER = $actor
-$env:GITHUB_TOKEN = $token
+$env:GITHUB_TOKEN = GetRealToken -token $token
 
 # Commit from the new folder
 Write-Host "Committing changes from the new folder $Location\$PowerPlatformSolutionName to branch $gitHubBranch"

@@ -33,7 +33,9 @@ function MaskValue {
     )
 
     Write-Host "Masking value for $key"
-    Write-Host "::add-mask::$value"
+    $value.Split("`n") | ForEach-Object {
+        Write-Host "::add-mask::$_"
+    }
 
     $val2 = ""
     $value.ToCharArray() | ForEach-Object {
@@ -47,7 +49,9 @@ function MaskValue {
     }
 
     if ($val2 -ne $value) {
-        Write-Host "::add-mask::$val2"
+        $val2.Split("`n") | ForEach-Object {
+            Write-Host "::add-mask::$_"
+        }
     }
     Write-Host "::add-mask::$([Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($value)))"
 }