microsoft/create-github-app-token-via-key-vault

microsoft/create-github-app-token-via-key-vault

Description: Create a GitHub app token via Azure Key Vault signing

Language: TypeScript

License: MIT

Stars: 1

Forks: 0

Open issues: 0

Created: 2026-06-04T18:22:49Z

Pushed: 2026-06-05T09:35:23Z

Default branch: main

Fork: no

Archived: no

README:

create-github-app-token-via-key-vault

Create GitHub App installation tokens by signing the GitHub App JWT with an Azure Key Vault key.

The GitHub App private key is imported into Key Vault and used only through the Key Vault sign operation. The key material does not need to be stored in GitHub Actions secrets, Azure Pipelines variables, or checked into a repository.

Entry points

| Entry point | Use when | Signing implementation | | --- | --- | --- | | GitHub Action (action.yml) | Running in GitHub Actions | Azure CLI az keyvault key sign | | CLI (dist/cli.cjs) | Running outside GitHub Actions | Azure CLI az keyvault key sign | | API (src/api.ts) | Copying the token flow into another TypeScript project | Caller-provided JWT signer |

Prerequisites

1. Create a GitHub App and install it on the organization, enterprise, or repositories that should receive tokens. 2. Import the GitHub App private key into Azure Key Vault as a key that supports the RS256 sign operation. 3. Grant the workflow identity permission to sign with that Key Vault key. 4. Use the GitHub App client ID (client-id / APP_CLIENT_ID) as the JWT issuer.

GitHub Actions

Use the action in GitHub Actions. Authenticate to Azure first, for example with OIDC and azure/login. The action signs with az keyvault key sign, so the runner must have Azure CLI (az) on PATH and azure/login must run before this action.

If the runner sets HTTPS_PROXY or HTTP_PROXY, set NODE_USE_ENV_PROXY=1 for this action step so Node.js native proxy support is enabled.

permissions:
contents: read
id-token: write

jobs:
example:
runs-on: ubuntu-latest
steps:
- uses: azure/login@v2
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}

- id: app-token
uses: microsoft/create-github-app-token-via-key-vault@v1
with:
client-id: ${{ vars.MY_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.MY_GITHUB_APP_KEY_ID }}
permission-contents: write
permission-pull-requests: write

- run: gh pr edit "$PR_NUMBER" --add-label automated
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}

When owner and repositories are omitted, the action creates a token for the current repository. To create a token for specific repositories, pass a comma- or newline-separated repositories list. If owner is omitted, repository names default to the current repository owner.

- id: app-token
uses: microsoft/create-github-app-token-via-key-vault@v1
with:
client-id: ${{ vars.MY_GITHUB_APP_CLIENT_ID }}
key-id: ${{ vars.MY_GITHUB_APP_KEY_ID }}
owner: octo-org
repositories: |
example-repo
another-repo
permission-contents: read
permission-issues: write

To create a token for every repository available to the installation owner, set owner and omit repositories. To target an enterprise installation, set enterprise; it cannot be combined with owner or repositories.

Action inputs

| Input | Required | Description | | --- | --- | --- | | client-id | Yes | GitHub App client ID. | | key-id | Yes | Full Azure Key Vault key ID for the imported GitHub App private key, for example https://my-vault.vault.azure.net/keys/my-github-app-key/0123456789abcdef0123456789abcdef. | | owner | No | Installation owner. Omit with repositories to default to the current repository owner. | | repositories | No | Comma- or newline-separated repositories. Entries may be repo or owner/repo. | | enterprise | No | Enterprise slug for an enterprise installation. Mutually exclusive with owner and repositories. | | github-api-url | No | GitHub REST API URL. Defaults to ${{ github.api_url }}. | | skip-token-revoke | No | If true, do not revoke the token in the post step. Defaults to false. | | permission-* | No | Optional token permissions, for example permission-contents: read. Omit all permission inputs to inherit installation permissions. |

Permission input names use the REST API permission name with underscores changed to hyphens. For example, pull_requests becomes permission-pull-requests.

Action outputs

| Output | Description | | --- | --- | | token | GitHub App installation token. | | expires-at | Token expiration timestamp. | | installation-id | Installation ID used to create the token. | | app-slug | GitHub App slug. |

By default, the action revokes the installation token during the post step. Set skip-token-revoke: true only when a later job or external process needs the token to remain valid until its normal expiration.

Standalone CLI

Use the CLI when you need a copy-pastable script for environments that cannot use the GitHub Action. It is a bundled Node.js script with no Azure SDK dependency; it signs with the already-authenticated Azure CLI by running az keyvault key sign.

Copy dist/cli.cjs into the repository or pipeline workspace that needs a token, or download it from this repository before running it. The CLI intentionally does not implement GitHub Actions output behavior; GitHub Actions users should use the action.

The CLI requires Node.js 24 or newer and the Azure CLI (az) on PATH. The Azure CLI must already be authenticated as an identity with permission to sign with the Key Vault key. If HTTPS_PROXY or HTTP_PROXY is set, also set NODE_USE_ENV_PROXY=1.

Example Azure Pipelines usage:

steps:
- task: AzureCLI@2
inputs:
azureSubscription: Production Azure
scriptType: bash
scriptLocation: inlineScript
inlineScript: node dist/cli.cjs
env:
APP_CLIENT_ID: $(MY_GITHUB_APP_CLIENT_ID)
KEY_ID: $(MY_GITHUB_APP_KEY_ID)
OWNER: octo-org
REPOSITORIES: |
example-repo
another-repo
PERMISSIONS: contents:read,issues:write
OUTPUT: azure-pipelines
AZURE_TOKEN_VARIABLE: GITHUB_PAT

- script: node scripts/use-token.js
env:
GITHUB_PAT: $(GITHUB_PAT)

For shell usage, use OUTPUT=stdout:

GH_TOKEN="$(
APP_CLIENT_ID="$MY_GITHUB_APP_CLIENT_ID" \
KEY_ID="$MY_GITHUB_APP_KEY_ID" \
OWNER=octo-org \
REPOSITORIES=example-repo \
PERMISSIONS=contents:read \
OUTPUT=stdout \
node dist/cli.cjs
)"

CLI environment…