This Azure Pipelines task generates GitHub App installation tokens that can be used for authenticating with GitHub APIs. It's particularly useful when you need to interact with GitHub repositories using a GitHub App instead of personal access tokens or other authentication methods.
Note
This is a (fully functional) sample and the extension is not published in the marketplace. If you want to use it, you need to publish. You can find the instructions here.
- Generates GitHub App installation tokens for API authentication
- Supports organization-wide or repository-specific tokens
- Provides multiple authentication options (service connection or direct inputs)
- Handles proxy configurations through environment variables
- Secure handling of private keys and credentials
- Cross-platform compatibility
- A GitHub App created and installed in your organization
- The GitHub App's private key (PEM format)
- The GitHub App ID
- The GitHub App must be installed in the organization where you want to generate tokens
- Go to your GitHub organization settings
- Navigate to GitHub Apps section
- Create a new GitHub App or select an existing one
- Note down the App ID
- Generate and download a private key (PEM format)
- Install the app in your organization
Add the task to your pipeline:
steps:
- task: create-github-app-token@1
inputs:
githubAppConnection: 'MyGitHubAppConnection'
organization: 'your-org-name'
repositories: 'repo1,repo2' # Optionalsteps:
- task: create-github-app-token@1
inputs:
organization: 'your-org-name'
appClientId: 'lv2313qqwqeqweqw' # Your GitHub App ID
certificate: '$(pem)' # PEM content as variable
repositories: 'repo1,repo2' # Optional| Parameter | Required | Description |
|---|---|---|
| githubAppConnection | No | The GitHub App connection to use (preferred method) |
| organization | Yes | The GitHub organization name where the app is installed |
| repositories | No | Comma-separated list of repositories to scope the token to. If empty, token will be scoped to the entire organization |
| appClientId | No* | The GitHub App ID (required if not using service connection) |
| certificate | No* | The PEM certificate content (required if not using service connection) |
| certificateFile | No | Alternative to certificate - filename containing the PEM content |
*Required if githubAppConnection is not specified
| Variable | Description |
|---|---|
| $(installationToken) | The generated GitHub App installation token |
| $(installationId) | The ID of the GitHub App installation |
- In your Azure DevOps project, go to Project Settings
- Select "Service connections" under Pipelines
- Create a new service connection of type "GitHub App"
- Enter:
- Connection name
- GitHub App Client ID
- Private Key (PEM content)
- Scope to repository. If this is set then the repositories input is ignored and the token will be scoped to the repository where the pipeline is running. For example this can be useful if install the on all or some repositories but you don't want the pipeline to access other repositories.
- only works if sources repository is GitHub. If you try to use with another source it will throw an error.
- Optionally change the API URL if not using github.com
- Save the connection
steps:
- task: create-github-app-token@1
name: token
inputs:
githubAppConnection: 'MyGitHubAppConnection'
organization: 'MyOrg'
- bash: |
gh api \
--method POST -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
/repos/MyOrg/myRepo/issues \
-f "title=Found a bug" -f "body=I'm having a problem with this."
displayName: 'Create issue using GitHub CLI'
env:
GH_TOKEN: $(token.installationToken)steps:
- task: create-github-app-token@1
inputs:
organization: 'MyOrg'
appClientId: 'lv2313qqwqeqweqw'
certificate: '$(githubAppPem)' # Variable containing PEM contentsteps:
- task: create-github-app-token@1
inputs:
githubAppConnection: 'MyGitHubAppConnection'
organization: 'MyOrg'
repositories: 'repo1'steps:
- task: create-github-app-token@1
name: githubAuth
inputs:
githubAppConnection: 'MyGitHubAppConnection'
organization: 'MyOrg'
- script: |
curl -H "Authorization: Bearer $(githubAuth.installationToken)" https://api.github.com/repos/MyOrg/MyRepo/issues | jq
displayName: 'List issues using cURL'The task automatically detects and uses proxy settings from the following environment variables:
- HTTP_PROXY
- HTTPS_PROXY
Warning
Proxy support has not been tested.
Common issues and solutions:
- Invalid Private Key: Ensure the PEM file is properly formatted and includes the full key including header and footer
- Permission Issues: Verify that the GitHub App has the necessary permissions for the repositories
- Installation Not Found: Confirm that the GitHub App is installed in the specified organization
Tip
If you expand the task logs, you can see extra info like the token permissions and repo access. (If you run the pipeline in debug mode it will have extra info as well).
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License.
If you encounter any issues or need support, please open an issue in the GitHub repository.