build-and-deploy: refresh the installation access token as needed

dscho · dscho · commit 65cc743cd56d · 2023-02-13T09:30:29.000+01:00
The build https://github.com/git-for-windows/git-for-windows-automation/actions/runs/4153007326/jobs/7184357891 as well the build https://github.com/git-for-windows/git-for-windows-automation/actions/runs/4153007483/jobs/7184358147 failed due to an expiring installation access token: these tokens expire after an hour, and the step that built the Pacman package took well over an hour. To cope with that, remember the expiry date of the token, and after the Pacman package has been built, refresh it if it is expired (or running the danger of expiring while the packages are deployed). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
@@ -66,14 +66,15 @@ jobs:
             )
 
             const getInstallationAccessToken = require('./get-installation-access-token')
-            const { token: accessToken } = await getInstallationAccessToken(
+            const { expiresAt, token: accessToken } = await getInstallationAccessToken(
               console,
               appId,
               privateKey,
               installationId
             )
 
             core.setSecret(accessToken)
+            core.setOutput('expires-at', expiresAt)
             core.setOutput('token', accessToken)
 
       - name: get check run id
@@ -295,6 +296,45 @@ jobs:
             exit 1
           fi
 
+      - name: refresh installation token (if needed)
+        if: env.CREATE_CHECK_RUN != 'false'
+        id: refresh
+        uses: actions/github-script@v6
+        with:
+          script: |
+            // GitHub Apps' installation access tokens expire after one hour, see:
+            // https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation
+            // let's generate a new one if less than 5 minutes before the expiry date, otherwise reuse it
+            if (Date.parse('${{ steps.setup.outputs.expires-at }}') - Date.now() > 5 * 60 * 1000) {
+              core.setOutput('expires-at', '${{ steps.setup.outputs.expires-at }}')
+              core.setOutput('token', '${{ steps.setup.outputs.token }}')
+              core.info('Continuing to use the unexpired installation access token')
+              return
+            }
+            const appId = ${{ secrets.GH_APP_ID }}
+            const privateKey = `${{ secrets.GH_APP_PRIVATE_KEY }}`
+
+            const getAppInstallationId = require('./get-app-installation-id')
+            const installationId = await getAppInstallationId(
+              console,
+              appId,
+              privateKey,
+              process.env.OWNER,
+              process.env.REPO
+            )
+
+            const getInstallationAccessToken = require('./get-installation-access-token')
+            const { expiresAt, token: accessToken } = await getInstallationAccessToken(
+              console,
+              appId,
+              privateKey,
+              installationId
+            )
+
+            core.setSecret(accessToken)
+            core.setOutput('expires-at', expiresAt)
+            core.setOutput('token', accessToken)
+
       - name: update check-run
         if: env.CREATE_CHECK_RUN != 'false'
         uses: actions/github-script@v6
@@ -303,7 +343,7 @@ jobs:
             const updateCheckRun = require('./update-check-run')
             await updateCheckRun(
               console,
-              '${{ steps.setup.outputs.token }}',
+              '${{ steps.refresh.outputs.token }}',
               process.env.OWNER,
               process.env.REPO,
               '${{ steps.check-run.outputs.id }}',
@@ -347,7 +387,7 @@ jobs:
             const updateCheckRun = require('./update-check-run')
             await updateCheckRun(
               console,
-              '${{ steps.setup.outputs.token }}',
+              '${{ steps.refresh.outputs.token }}',
               process.env.OWNER,
               process.env.REPO,
               '${{ steps.check-run.outputs.id }}',
diff --git a/get-installation-access-token.js b/get-installation-access-token.js
@@ -8,6 +8,7 @@ module.exports = async (context, appId, privateKey, installation_id) => {
         `/app/installations/${installation_id}/access_tokens`)
     if (answer.error) throw answer.error
     if (answer.token) return {
+        expiresAt: answer.expires_at,
         token: answer.token
     }
     throw new Error(`Unhandled response:\n${JSON.stringify(answer, null, 2)}`)

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ module.exports = async (context, appId, privateKey, installation_id) => {`
`8`	`8`	`/app/installations/${installation_id}/access_tokens`)
`9`	`9`	`if (answer.error) throw answer.error`
`10`	`10`	`if (answer.token) return {`
	`11`	`+ expiresAt: answer.expires_at,`
`11`	`12`	`token: answer.token`
`12`	`13`	`}`
`13`	`14`	throw new Error(`Unhandled response:\n${JSON.stringify(answer, null, 2)}`)