Add Cloudflare Worker backend for secure GitHub App authentication#21
Merged
Add Cloudflare Worker backend for secure GitHub App authentication#21
Conversation
The worker runs at POST /token and accepts a GitHub Actions OIDC JWT (audience = worker URL) in the Authorization header. It verifies the token against GitHub's public JWKS, then issues a GitHub App installation access token for the repository claimed in the OIDC payload. This eliminates the need for users to store the App private key in their repository secrets. Action changes: - PRIVATE_KEY is now optional (backward compatible) - New optional WORKER_URL input: when set, the action uses GitHub OIDC to authenticate via the worker instead of a private key - Job must have `permissions: id-token: write` when using WORKER_URL Worker (worker/): - wrangler.toml: Cloudflare Worker config; GITHUB_APP_PRIVATE_KEY is set as a wrangler secret, GITHUB_APP_ID as a var - src/index.ts: verifies GitHub OIDC JWT (jose), creates App JWT, looks up installation, and returns an installation access token https://claude.ai/code/session_01NpiSv9DJeWXyK77tjPGt8F
Replace PRIVATE_KEY with WORKER_URL pointing to the deployed worker. Add explicit permissions for OIDC (id-token: write), PR comments (pull-requests: write), and log access (actions: read). Remove the CppWarningNotifier environment since no secrets are needed. https://claude.ai/code/session_01NpiSv9DJeWXyK77tjPGt8F
This comment has been minimized.
This comment has been minimized.
WORKER_URL is now the only authentication method. Removes the App import, PRIVATE_KEY input, and the dual-path auth logic. https://claude.ai/code/session_01NpiSv9DJeWXyK77tjPGt8F
This comment has been minimized.
This comment has been minimized.
…code - Replace heavy `octokit` package with `@octokit/rest` + `@octokit/graphql` (bundle: 8,828 -> 4,007 lines) - Fix GraphQL injection: use parameterized variables instead of string interpolation for minimizeComment mutation - Remove dead `body` null-coalescing logic (`let body = null; body ??= ...` simplified to `const body = ...`) - Hoist warningRegex/errorRegex out of the loop - Replace hand-rolled CompositeKeyMap/groupBy with Map and Map.groupBy - Normalize all variable names to camelCase - Remove no-op runnerEnvironment check in worker https://claude.ai/code/session_01NpiSv9DJeWXyK77tjPGt8F
This comment has been minimized.
This comment has been minimized.
- action/: GitHub Action source, build config, and bundled output - worker/: Cloudflare Worker backend (already in place) - test/: sample C++ project used by the CI workflow - Root keeps only action.yml (GHA requirement) and repo-level config https://claude.ai/code/session_01NpiSv9DJeWXyK77tjPGt8F
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
action/: @rollup/plugin-commonjs 28 -> 29 @rollup/plugin-node-resolve 16.0.1 -> 16.0.3 @rollup/plugin-typescript 12.1.2 -> 12.3.0 @types/node 22 -> 25 rollup 4.40.0 -> 4.57.1 typescript 5.8.3 -> 5.9.3 worker/: jose 5.9.6 -> 6.1.3 @cloudflare/workers-types 4.20241022.0 -> 4.20260218.0 typescript 5.8.3 -> 5.9.3 wrangler 3.99.0 -> 4.66.0 https://claude.ai/code/session_01NpiSv9DJeWXyK77tjPGt8F
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces a new Cloudflare Worker backend that enables secure GitHub App authentication using GitHub Actions OIDC tokens, while maintaining backward compatibility with direct private key authentication.
Key Changes
New Cloudflare Worker (
worker/src/index.ts):/tokenendpoint that exchanges GitHub Actions OIDC tokens for GitHub App installation access tokensUpdated GitHub Action (
src/index.ts):WORKER_URLto exchange OIDC tokens via the Cloudflare Worker (requiresid-token: writepermission)PRIVATE_KEYto authenticate directly as the GitHub AppgetInstallationTokenFromWorker()helper to request OIDC tokens and exchange them with the workerConfiguration Updates:
action.yml: MadePRIVATE_KEYoptional, added newWORKER_URLinputwrangler.toml,tsconfig.json,package.jsonImplementation Details
joselibrary for JWT verification and creationaction.yml:requird→requiredhttps://claude.ai/code/session_01NpiSv9DJeWXyK77tjPGt8F