mirror of
https://github.com/github/codeql-action.git
synced 2025-12-26 17:20:10 +08:00
43 lines
1.2 KiB
JavaScript
43 lines
1.2 KiB
JavaScript
// @ts-check
|
|
|
|
// @ts-ignore - #get-token is defined in "imports" in package.json
|
|
import { getToken } from "./lib/get-token.js";
|
|
|
|
/**
|
|
* @param {import(".").Options} options
|
|
* @returns {Promise<import(".").Result>}
|
|
*/
|
|
export default async function githubAppJwt({
|
|
id,
|
|
privateKey,
|
|
now = Math.floor(Date.now() / 1000),
|
|
}) {
|
|
// Private keys are often times configured as environment variables, in which case line breaks are escaped using `\\n`.
|
|
// Replace these here for convenience.
|
|
const privateKeyWithNewlines = privateKey.replace(/\\n/g, '\n');
|
|
|
|
// When creating a JSON Web Token, it sets the "issued at time" (iat) to 30s
|
|
// in the past as we have seen people running situations where the GitHub API
|
|
// claimed the iat would be in future. It turned out the clocks on the
|
|
// different machine were not in sync.
|
|
const nowWithSafetyMargin = now - 30;
|
|
const expiration = nowWithSafetyMargin + 60 * 10; // JWT expiration time (10 minute maximum)
|
|
|
|
const payload = {
|
|
iat: nowWithSafetyMargin, // Issued at time
|
|
exp: expiration,
|
|
iss: id,
|
|
};
|
|
|
|
const token = await getToken({
|
|
privateKey: privateKeyWithNewlines,
|
|
payload,
|
|
});
|
|
|
|
return {
|
|
appId: id,
|
|
expiration,
|
|
token,
|
|
};
|
|
}
|