feat: add base64 encoded private key support

.env.example

@@ -3,7 +3,7 @@ APP_ID=12345
 GITHUB_CLIENT_ID=Iv1.12345def
 GITHUB_CLIENT_SECRET=clientsecret
 
-# Private key for the GitHub App
+# Private key for the GitHub App (base64 encoded or raw)
 PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----\nYOUR KEY HERE WITH \n INCLUDED=\n-----END RSA PRIVATE KEY-----\n
 
 # Auth configs

docs/developing.md

@@ -83,7 +83,7 @@ To use the app, you'll need to create a GitHub App and configure it to point to
    - **Workflow run**
 
 7. Click **Create GitHub App**.
-8. Generate a private key for the app and add it to your `.env` file as `PRIVATE_KEY`.
+8. Generate a private key for the app and add it to your `.env` file as `PRIVATE_KEY`, a base64 encoded version can be used if desired.
 9. Note the **App ID** and **Client ID** and add them to your `.env` file as `APP_ID` and `GITHUB_CLIENT_ID`, respectively.
 10. Generate a new **Client Secret** and add it to your `.env` file as `GITHUB_CLIENT_SECRET`.
 

scripts/webhook-relay.mjs

@@ -14,12 +14,18 @@ if (!process.env.PUBLIC_ORG) {
 
 const url = `${process.env.NEXTAUTH_URL}/api/webhooks`
 
-const privateKeyPkcs8 = crypto
-  .createPrivateKey(process.env.PRIVATE_KEY.replace(/\\n/g, '\n'))
-  .export({
-    type: 'pkcs8',
-    format: 'pem',
-  })
+const privateKey =
+  process.env.PRIVATE_KEY &&
+  !process.env.PRIVATE_KEY.includes('-----BEGIN RSA PRIVATE KEY-----')
+    ? // Support optional base64 decoding of the private key to prevent issues with complicated environment variable passing scenarios
+      Buffer.from(process.env.PRIVATE_KEY, 'base64').toString('utf8')
+    : // Handle a bug with multiline envs in docker - See https://github.com/moby/moby/issues/46773
+      (process.env.PRIVATE_KEY?.replace(/\\n/g, '\n') ?? '')
+
+const privateKeyPkcs8 = crypto.createPrivateKey(privateKey).export({
+  type: 'pkcs8',
+  format: 'pem',
+})
 
 const setupForwarder = (organizationOwner) => {
   const app = new App({

src/bot/octokit.ts

@@ -6,11 +6,13 @@ import { Octokit } from './rest'
 const personalOctokitLogger = logger.getSubLogger({ name: 'personal-octokit' })
 const appOctokitLogger = logger.getSubLogger({ name: 'app-octokit' })
 
-// This is a bug with the way the private key is stored in the docker env
-// See https://github.com/moby/moby/issues/46773
-const privateKey = process.env.PRIVATE_KEY?.includes('\\n')
-  ? process.env.PRIVATE_KEY.replace(/\\n/g, '\n')
-  : process.env.PRIVATE_KEY!
+const privateKey =
+  process.env.PRIVATE_KEY &&
+  !process.env.PRIVATE_KEY.includes('-----BEGIN RSA PRIVATE KEY-----')
+    ? // Support optional base64 decoding of the private key to prevent issues with complicated environment variable passing scenarios
+      Buffer.from(process.env.PRIVATE_KEY, 'base64').toString('utf8')
+    : // Handle a bug with multiline envs in docker - See https://github.com/moby/moby/issues/46773
+      (process.env.PRIVATE_KEY?.replace(/\\n/g, '\n') ?? '')
 
 /**
  * Generates an app access token for the app or an installation (if installationId is provided)

test/app.test.ts

@@ -2,7 +2,6 @@ import nock from 'nock'
 
 // Requiring our app implementation
 import { Probot, ProbotOctokit } from 'probot'
-import * as app from '../src/bot'
 import { Octomock } from './octomock'
 
 // Requiring our fixtures
@@ -23,6 +22,10 @@ const privateKey = fs.readFileSync(
   'utf-8',
 )
 
+process.env.PRIVATE_KEY = privateKey
+
+import * as app from '../src/bot' // import app after setting up the environment variable
+
 describe('Webhooks events', () => {
   let probot: Probot
 

test/server/config.test.ts

@@ -1,3 +1,13 @@
+import fs from 'fs'
+import path from 'path'
+
+// load private key before importing the code that uses it
+
+process.env.PRIVATE_KEY = fs.readFileSync(
+  path.join(__dirname, '../fixtures/mock-cert.pem'),
+  'utf-8',
+)
+
 import * as config from '../../src/bot/config'
 import * as auth from '../../src/utils/auth'
 import configRouter from '../../src/server/config/router'