Add capability to specify auth from env var or stdin

This commit adds two new ways of specifying GitHub auth: 1. from the GITHUB_TOKEN environment variable 2. from standard input This commit does not include any documentation changes and the descriptions of new command line options will need to be tweaked.
2021-02-12 14:31:38 -08:00 · 2021-02-12 14:31:38 -08:00 · 88714e3a60
commit 88714e3a60
parent 1d92248672
9 changed files with 267 additions and 20 deletions
--- a/lib/util.js
+++ b/lib/util.js
@ -257,4 +257,55 @@ function apiVersionInRange(version, minimumVersion, maximumVersion) {
    return undefined;
 }
 exports.apiVersionInRange = apiVersionInRange;
+/**
+ * Retrieves the github auth token for use with the runner. There are
+ * three possible locations for the token:
+ *
+ * 1. from the cli (considered insecure)
+ * 2. from stdin
+ * 3. from the GITHUB_TOKEN environment variable
+ *
+ * If both 1 & 2 are specified, then an error is thrown.
+ * If 1 & 3 or 2 & 3 are specified, then the environment variable is ignored.
+ *
+ * @param githubAuth a github app token or PAT
+ * @param fromStdIn read the github app token or PAT from stdin up to, but excluding the first whitespace
+ * @param readable the readable stream to use for getting the token (defaults to stdin)
+ *
+ * @return a promise resolving to the auth token.
+ */
+async function getGitHubAuth(logger, githubAuth, fromStdIn, readable = process.stdin) {
+    if (githubAuth && fromStdIn) {
+        throw new Error("Cannot specify both `--github-auth` and `--github-auth-stdin`. Please use `--github-auth-stdin`, which is more secure.");
+    }
+    if (githubAuth) {
+        logger.warning("Using `--github-auth` via the CLI is insecure. Use `--github-auth-stdin` instead.");
+        return githubAuth;
+    }
+    if (fromStdIn) {
+        return new Promise((resolve, reject) => {
+            let token = "";
+            readable.on("data", (data) => {
+                token += data.toString("utf8");
+            });
+            readable.on("end", () => {
+                token = token.split(/\s+/)[0].trim();
+                if (token) {
+                    resolve(token);
+                }
+                else {
+                    reject(new Error("Standard input is empty"));
+                }
+            });
+            readable.on("error", (err) => {
+                reject(err);
+            });
+        });
+    }
+    if (process.env.GITHUB_TOKEN) {
+        return process.env.GITHUB_TOKEN;
+    }
+    throw new Error("No GitHub authentication token was specified. Please provide a token via the GITHUB_TOKEN environment variable, or by adding the `--github-auth-stdin` flag and passing the token via standard input.");
+}
+exports.getGitHubAuth = getGitHubAuth;
 //# sourceMappingURL=util.js.map