The highest tagged major version is
README
¶
ghait
ghait is a reusable Go module and CLI tool designed to simplify generation of ephemeral GitHub App Installation Tokens.
It directly supports multiple Key Management Service (KMS) providers, including AWS, GCP, and Vault, to securely sign requests.
Features
- Easily generate ephemeral GitHub App Installation Tokens
- Support for multiple KMS providers: File, AWS, GCP, Vault
- Support for restricting repositories and permissions per token
- Fully configurable via environment variables and command-line flags
Installation
To install the CLI tool, use the following command:
go install github.com/isometry/ghait/cmd/ghait@latest
Homebrew
brew install isometry/tap/ghait
Usage
CLI Interface
The ghait CLI tool can be used to generate ephemeral GitHub App Installation Tokens, each valid for 1-hour. Below is a brief description of the available flags:
Usage:
ghait [flags]
Flags:
-a, --app-id int App ID (required)
-i, --installation-id int Installation ID (required)
-k, --key string Private key or identifier (required)
-P, --provider string KMS provider (supported: [file,aws,gcp,vault]) (default "file")
-r, --repository strings Repository names to grant access to (default all)
-p, --permission stringToString Restricted permissions to grant (default all)
-h, --help help for ghait
-v, --version version for ghait
Example
To generate a GitHub App installation token using the CLI, run:
export GHAIT_APP_ID=12345
export GAT_INSTALLATION_ID=67890
ghait -k private.pem
ghait --key private.pem --repo --permissions contents=read
ghait --provider aws --key alias/github
ghait --provider vault --key transit/sign/github --repo ghait --permission contents=read,metadata=read
Providers
File
The file provider expects key to be the path to a file holding your GitHub App private key, or alternatively the full contents of the key itself.
AWS
The aws provider offloads JWT token signing to AWS KMS. key takes the form of a KMS key reference.
Usage relies on standard AWS configuration and credentials being available to the app.
Disable inclusion by building with the no_aws tag.
GCP
The gcp provider offloads JWT token signing to GCP KMS. key takes the form of a KMS key reference.
Usage relies on standard GCP configuration and credentials being available to the app.
Disable inclusion by building with the no_gcp tag.
Vault
The vault provider offloads JWT token signing to GCP KMS. key takes the form of a transit secrets engine signing path <mountpoint>/sign/<name>, for example transit/sign/github.
Usage relies on standard Vault configuration and credentials being available to the app.
Disable inclusion by building with the no_vault tag.
Environment Variables
You can also configure the CLI using environment variables:
GHAIT_APP_ID: GitHub App IDGHAIT_INSTALLATION_ID: GitHub App Installation IDGHAIT_KEY: Private key or identifierGHAIT_PROVIDER: KMS provider (supported: file, aws, gcp, vault)GHAIT_REPOSITORY: Repositories to grant access to (space-delimited)GHAIT_PERMISSION: Restricted permissions to grant (JSON map)
Programmatic Usage
To use this module programmatically, you can create a new instance of ghait and generate a token as shown below:
package main
import (
"context"
"fmt"
"log"
"github.com/isometry/ghait"
"github.com/google/go-github/v66/github"
)
func main() {
ctx := context.Background()
config := &ghait.Config{
AppID: 12345,
InstallationID: 67890,
Provider: "aws",
Key: "alias/github",
}
factory, err := ghait.NewGHAIT(ctx, config)
if err != nil {
log.Fatalf("failed to create ghait instance: %v", err)
}
options := &github.InstallationTokenOptions{}
token, err := factory.NewInstallationToken(ctx, 0, options)
if err != nil {
log.Fatalf("failed to create installation token: %v", err)
}
fmt.Println(token)
}
Contributing
Contributions are welcome! Please open an issue or submit a pull request.
License
This project is licensed under the Apache License 2.0.
Documentation
Source Files
Directories