Login/Register
Store oauth token as a github secret
Asked Answered
rgithuboauthgithub-actionshttr
S

1

3

I use the R package httr to authenticate myself at an oauth endpoint (strava) using oauth_endpoint(), oauth_app() and oauth2.0_token() (Step 1).

# Step 1: Genrate oauth token

strava_endpoint <- oauth_endpoint(
  request = NULL,
  authorize = "authorize", 
  access = "token",
  base_url = "https://www.strava.com/api/v3/oauth/"
)

myapp <- oauth_app(
  "strava", 
  key = 0000000,        # <- my key
  secret = "mysecret"   # <- my secret
)

mytok <- oauth2.0_token(
  endpoint = strava_endpoint, 
  app = myapp,
  scope = c("activity:read_all"),
  cache = TRUE
)

This last function requires me to authenticate via browser and permit the requested scope, which is then cached as a token .httr-oauth. After doing this once, I can use this token file with readRDS() to use GET() via the strava API (Step 2)

# Step 2: Use the file ".httr-oauth" got use the API (GET)
mytok <- readRDS(".httr-oauth")[[1]]

GET("https://www.strava.com/api/v3/athlete", config(token = mytok))

Response [https://www.strava.com/api/v3/athlete]
  Date: 2022-03-09 07:53
  Status: 200
  Content-Type: application/json; charset=utf-8
  Size: 650 B

This works fine locally. However, I would like to pass this token to a github action to GET() on my behalf. In other words, I want to do Step 1 locally and use the generated token (file .httr-oauth) in a Github Action (Step 2)

But, since this token is a secret and should be added to .gitignore, I don't know how to authenticate the github action.

I thought I could add .httr-oauth as a github secret, but it seems to be an encrypted file.

Is there a different way to authorize a github action to GET() my data via an API (e.g. strava)?

Stripling answered 9/3, 2022 at 8:6 Comment(2)
this looks promisingStripling
this as wellStripling
A
0

but it seems to be an encrypted file.

The "Using encrypted secrets in a workflow" shows you should be able to retrieve the value of that secret:

steps:
  - name: Hello world action
    with: # Set the secret as an input
      super_secret: ${{ secrets.SuperSecret }}
    env: # Or as an environment variable
      super_secret: ${{ secrets.SuperSecret }}

It is then a variable (or environment variable), with its value (not encrypted) you can use in the rest of your workflow.

Aviva answered 9/3, 2022 at 8:19 Comment(8)
I'm not quite sure whether I understand. Are you saying: 1) encrypt .httr-oauth using gpg and a passphrase 2) push to github 3) add passphrase (from step 1) to the repo 4) decrypt .httr-oauth and 5) import the decrypted file using readRDS ?Stripling
@Stripling you should be able to register your value (in clear) as a GitHub secret in your GitHub repository (docs.github.com/en/actions/security-guides/…). Once registered, your GitHub action can retrieve it. No need to encrypt it further.Aviva
I'm really sorry, but I still don't understand. How do I get my value in clear from my .httr-oauth token (which is a file)?Stripling
@Stripling Is that file a static content (which never changes?) or a generated one which can change on each execution?Aviva
@Stripling In the later case, you can create/update a secret with the GitHub API: docs.github.com/en/rest/reference/…Aviva
Its a static content which never changes, and which I can only generate locally (since the function oauth2.0_token() invokes the browser where I need to authenticate myself)Stripling
@Stripling So you can register manually on the repository as a secret.Aviva
Let us continue this discussion in chat.Stripling

© 2022 - 2024 — McMap. All rights reserved.