|
1 | 1 | name: PR Event Listener |
2 | | - |
3 | 2 | on: |
4 | 3 | issue_comment: |
5 | 4 | types: [created] |
6 | 5 | pull_request: |
7 | 6 | types: [opened, synchronize, reopened] |
8 | 7 | push: |
9 | | - |
10 | 8 | jobs: |
11 | 9 | process_pr_events: |
12 | 10 | runs-on: ubuntu-latest |
13 | | - |
14 | 11 | steps: |
15 | 12 | - name: Extract event details |
16 | 13 | run: echo "EVENT_PAYLOAD=$(jq -c . < $GITHUB_EVENT_PATH)" >> $GITHUB_ENV |
17 | 14 |
|
18 | | - - name: Generate Signature |
| 15 | + - name: Generate Signature and Encrypt Token |
19 | 16 | env: |
20 | 17 | WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }} |
21 | | - API_TOKEN: ${{ secrets.API_TOKEN }} # Token to encrypt |
| 18 | + API_TOKEN: ${{ secrets.API_TOKEN }} |
22 | 19 | run: | |
| 20 | + # Generate signature for the payload |
23 | 21 | SIGNATURE=$(echo -n "$EVENT_PAYLOAD" | openssl dgst -sha256 -hmac "$WEBHOOK_SECRET" | cut -d " " -f2) |
24 | | -
|
25 | 22 | echo "SIGNATURE=$SIGNATURE" >> $GITHUB_ENV |
26 | | - echo "API_TOKEN=$API_TOKEN" >> $GITHUB_ENV |
27 | | -
|
| 23 | + |
| 24 | + # Encrypt the API token using the webhook secret as encryption key |
| 25 | + # Generate a random IV for AES encryption |
| 26 | + IV=$(openssl rand -hex 16) |
| 27 | + ENCRYPTED_TOKEN=$(echo -n "$API_TOKEN" | openssl enc -aes-256-cbc -base64 -K $(echo -n "$WEBHOOK_SECRET" | xxd -p -c 64 | head -c 64) -iv $IV) |
| 28 | + |
| 29 | + echo "ENCRYPTED_TOKEN=$ENCRYPTED_TOKEN" >> $GITHUB_ENV |
| 30 | + echo "TOKEN_IV=$IV" >> $GITHUB_ENV |
| 31 | + |
28 | 32 | - name: Call External API (With Encrypted Token) |
29 | 33 | run: | |
30 | 34 | curl -X POST https://firstly-worthy-chamois.ngrok-free.app/github-webhook \ |
31 | 35 | -H "Content-Type: application/json" \ |
32 | 36 | -H "X-Hub-Signature-256: sha256=$SIGNATURE" \ |
33 | | - -H "Authorization: Bearer $API_TOKEN" \ |
| 37 | + -H "X-Encrypted-Token: $ENCRYPTED_TOKEN" \ |
| 38 | + -H "X-Token-IV: $TOKEN_IV" \ |
34 | 39 | -d "$EVENT_PAYLOAD" |
35 | | -
|
|
0 commit comments