2

I use the R package httr to authenticate myself at an oauth endpoint (strava) using oauth_endpoint(), oauth_app() and oauth2.0_token() (Step 1).

# Step 1: Genrate oauth token

strava_endpoint <- oauth_endpoint(
  request = NULL,
  authorize = "authorize", 
  access = "token",
  base_url = "https://www.strava.com/api/v3/oauth/"
)

myapp <- oauth_app(
  "strava", 
  key = 0000000,        # <- my key
  secret = "mysecret"   # <- my secret
)

mytok <- oauth2.0_token(
  endpoint = strava_endpoint, 
  app = myapp,
  scope = c("activity:read_all"),
  cache = TRUE
)

This last function requires me to authenticate via browser and permit the requested scope, which is then cached as a token .httr-oauth. After doing this once, I can use this token file with readRDS() to use GET() via the strava API (Step 2)

# Step 2: Use the file ".httr-oauth" got use the API (GET)
mytok <- readRDS(".httr-oauth")[[1]]

GET("https://www.strava.com/api/v3/athlete", config(token = mytok))

Response [https://www.strava.com/api/v3/athlete]
  Date: 2022-03-09 07:53
  Status: 200
  Content-Type: application/json; charset=utf-8
  Size: 650 B

This works fine locally. However, I would like to pass this token to a github action to GET() on my behalf. In other words, I want to do Step 1 locally and use the generated token (file .httr-oauth) in a Github Action (Step 2)

But, since this token is a secret and should be added to .gitignore, I don't know how to authenticate the github action.

I thought I could add .httr-oauth as a github secret, but it seems to be an encrypted file.

Is there a different way to authorize a github action to GET() my data via an API (e.g. strava)?

Ratnanil
  • 1,641
  • 17
  • 43

1 Answers1

0

but it seems to be an encrypted file.

The "Using encrypted secrets in a workflow" shows you should be able to retrieve the value of that secret:

steps:
  - name: Hello world action
    with: # Set the secret as an input
      super_secret: ${{ secrets.SuperSecret }}
    env: # Or as an environment variable
      super_secret: ${{ secrets.SuperSecret }}

It is then a variable (or environment variable), with its value (not encrypted) you can use in the rest of your workflow.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • I'm not quite sure whether I understand. Are you saying: 1) encrypt `.httr-oauth` using `gpg` and a passphrase 2) push to github 3) add passphrase (from step 1) to the repo 4) decrypt `.httr-oauth` and 5) import the decrypted file using `readRDS` ? – Ratnanil Mar 09 '22 at 09:54
  • @Ratnanil you should be able to register your value (in clear) as a GitHub secret in your GitHub repository (https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository). Once registered, your GitHub action can retrieve it. No need to encrypt it further. – VonC Mar 09 '22 at 10:05
  • I'm really sorry, but I still don't understand. How do I get my value in clear from my `.httr-oauth` token (which is a file)? – Ratnanil Mar 09 '22 at 10:36
  • @Ratnanil Is that file a static content (which never changes?) or a generated one which can change on each execution? – VonC Mar 09 '22 at 14:30
  • @Ratnanil In the later case, you can create/update a secret with the GitHub API: https://docs.github.com/en/rest/reference/actions#create-or-update-a-repository-secret – VonC Mar 09 '22 at 14:33
  • Its a static content which never changes, and which I can only generate locally (since the function `oauth2.0_token()` invokes the browser where I need to authenticate myself) – Ratnanil Mar 09 '22 at 16:08
  • @Ratnanil So you can register manually on the repository as a secret. – VonC Mar 09 '22 at 17:19
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/242783/discussion-between-ratnanil-and-vonc). – Ratnanil Mar 09 '22 at 18:44