create-github-app-token
create-github-app-token copied to clipboard
actions
`A JSON web token could not be decoded` error when running action
Hi, I get this error when running the action:
Run actions/create-github-app-token@v1
with:
app-id: ***
private-key: ***
github-api-url: https://api.github.com/
owner and repositories not set, creating token for the current repository ("fusion-imu")
Failed to create token for "fusion-imu" (attempt 1): A JSON web token could not be decoded - https://docs.github.com/rest
Failed to create token for "fusion-imu" (attempt 2): A JSON web token could not be decoded - https://docs.github.com/rest
Failed to create token for "fusion-imu" (attempt 3): A JSON web token could not be decoded - https://docs.github.com/rest
Failed to create token for "fusion-imu" (attempt 4): A JSON web token could not be decoded - https://docs.github.com/rest
RequestError [HttpError]: A JSON web token could not be decoded - https://docs.github.com/rest
at /home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:37050:21
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async hook4 (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39454:18)
at async getTokenFromRepository (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39768:20)
at async RetryOperation._fn (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39645:24) {
status: 401,
request: {
method: 'GET',
url: 'https://api.github.com/repos/avsaase/fusion-imu/installation',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'actions/create-github-app-token',
authorization: 'bearer [REDACTED]'
},
request: { hook: [Function: bound hook4] AsyncFunction }
Error: A JSON web token could not be decoded - https://docs.github.com/rest
},
response: {
url: 'https://api.github.com/repos/avsaase/fusion-imu/installation',
status: 401,
headers: {
'access-control-allow-origin': '*',
'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
'content-length': '117',
'content-security-policy': "default-src 'none'",
'content-type': 'application/json; charset=utf-8',
date: 'Wed, 03 Jul 2024 22:33:58 GMT',
'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
server: 'github.com',
'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
vary: 'Accept-Encoding, Accept, X-Requested-With',
'x-content-type-options': 'nosniff',
'x-frame-options': 'deny',
'x-github-media-type': 'github.v3; format=json',
'x-github-request-id': 'E906:311D5D:2A7971:4ADA68:6685D1D2',
'x-xss-protection': '0'
},
data: {
message: 'A JSON web token could not be decoded',
documentation_url: 'https://docs.github.com/rest',
status: '401'
}
},
attemptNumber: 4,
retriesLeft: 0
}
In my workflow file I have
- name: Generate GitHub token
uses: actions/create-github-app-token@v1
id: generate-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
The corresponding app id and private key are set as secrets in my repository. The private key is copy-pasted directly from the .pem file that downloads when creating a private key.
The app is installed
Did I do something wrong or is this a bug? Thanks.
The error is not very helpful, but it usually means that the private key is somehow not formatted correctly or invalid.
What is the correct format? I tried both with and without the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines but with no success,
I just tried it again with those line removed and then the output becomes:
Failed to create token for "fusion-imu" (attempt 2): Invalid keyData
Failed to create token for "fusion-imu" (attempt 3): Invalid keyData
Failed to create token for "fusion-imu" (attempt 4): Invalid keyData
DOMException [DataError]: Invalid keyData
at Object.rsaImportKey (node:internal/crypto/rsa:235:15)
at SubtleCrypto.importKey (node:internal/crypto/webcrypto:615:10)
... 6 lines matching cause stack trace ...
at /home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39717:71
Error: Invalid keyData
at RetryOperation._fn (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39645:30) {
attemptNumber: 4,
retriesLeft: 0,
[cause]: Error: error:0680007B:asn1 encoding routines::header too long
at createPrivateKey (node:internal/crypto/keys:632:12)
at Object.rsaImportKey (node:internal/crypto/rsa:229:21)
at SubtleCrypto.importKey (node:internal/crypto/webcrypto:615:10)
at getToken (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:37839:56)
at githubAppJwt (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:37872:23)
at getAppAuthentication (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39166:37)
at hook4 (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39450:37)
at newApi (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:37130:36)
at getTokenFromRepository (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39768:26)
at /home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39717:71 {
library: 'asn1 encoding routines',
reason: 'header too long',
code: 'ERR_OSSL_ASN1_HEADER_TOO_LONG'
}
}
Can you please try to convert PKCS#1 (the current format that GitHub exports) to PKCS#8 and see if that helps? I documented 3 options to do that here: https://github.com/gr2m/universal-github-app-jwt/?tab=readme-ov-file#converting-pkcs1-to-pkcs8
The PKCS8 key start with -----BEGIN PRIVATE KEY-----. Make sure to leave that line as well as the ending line in when setting it as a repository secret
I needed a quick fix so I switched to another action to generate a token. I haven't tried converting the private key yet but I'll give it a try this week. You are of course welcome to try it yourself.
Can you please try to convert PKCS#1 (the current format that GitHub exports) to PKCS#8 and see if that helps? I documented 3 options to do that here: https://github.com/gr2m/universal-github-app-jwt/?tab=readme-ov-file#converting-pkcs1-to-pkcs8
The PKCS8 key start with
-----BEGIN PRIVATE KEY-----. Make sure to leave that line as well as the ending line in when setting it as a repository secret
This does not work for me :-(
The conversion didn't work for me either. Upon initial conversion, it was unhappy with line break characters, trying to strip them results in an invalid keyData error.
Clarifying my last response now. Using the OpenSSL method of converting the key, it is now being accepted by this action.
However, this feels like a bit of a poor user experience to issue the key(s) one way but have your own vendor provided action expect them in a different format.
We have tried to reproduce this error and have not been able to so far. Can somebody experiencing this please invalidate the private key that is not working for you and then provide it to us for closer inspection?
Found this issue because we're having the same problem.
Here is an invalidated key that isn't working when set as a Github Actions secret and fed to this action, including the trailing newline.
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAxi42aN8myTUNsEujDIpm6a17/mxaWYAw333JISOG7BQbk4bI
nUvU0PBbRelJxRY+THiA9I1TOZvFYmzISTmgvDB9KOoVR8rWoJeQD4Y+X1agzvsS
S2sGoVvzkEIaVcRttJxbHstpbzcFzhYzKTGWHu5poiOmVWTvwMJd0SC6V/ZY9ALo
tvwllJlI+NmDyUhbpMjz2nTaBvBKCbShqnfyvChdULdZXWO/eEQsRPqTdGOi1TZw
3ZuZ6XAXRFCyrTBXYSU/n95+5qJ4UGkn0+m34mw1+VELFTf1g11HelcC4g/cQM7v
L0t06FlHIzYi6mG2gDnOH6ildlxWCm1ILMGLeQIDAQABAoIBABhWNHhMbwbmbPfp
UeyIUnr/wupLhAzZoSbQ25ImOrti/L/xHVGzrj66RXsgWt7JDH13jt55PG8moeak
VTQoz4RMsBIGLPbUAedWtWoyohYzHSxNyMFaM0Y9dHuSoolFxfMYAFiXwirWJvBX
6ZB1dmn1/SLcHeD+tDKHq92yly+V6aComV5qJ9JGkceqJ+kbtzhCjM1quXo6ZoJh
jlvwzro2/N+u/WMzE5hcH6CV1Sc359kxXhHgkTtwoIWx+4AV49/hFqLyc1UmeqmC
yBoR5Hs0NO0BGYn2Yy34r/sqBlrfUGu2rB2Nr+bnKSi5x+tvG7QfqH+dnEhVbLeK
YhTkPwECgYEA5n+j6o7yPl/2iqxYrUrO7frGz3OASIICVfW5xt7zmo4yCp1e4KRX
gfwN5NUO6u06u9oqyRetByEiPro7fLCRv8MjlcGRKMF8Sd840t0yjlJ5rzQUgpyt
hiag5qaDmk91WEeHurskZH0e24wKIviiifylY7gpQcPfO83IptfNLuUCgYEA3Bs8
EMOqBdscwu9+0MqzcBUV1H+nf4xwuqtjrI984T6TXKrTOIaludAydl1sv4Y8RZwW
nwSTX4GAXCfGy40ds+9HsN2BDJ11EvWYnVWSDivq41wzrEERZY255gyCcA0UTay1
5/oz3mVntusN85BQgWe8OIz3H08wmZHrk50GDQUCgYEAxjY7GgikzfitxSBh/VtY
SROfBWQ4i6GpKoxtnlO5Pk5LQA+GOD16tt+ufvqsol8wY7w/kL/YXkoi7bguUZJx
M2s2XaCgGGESZWAcuE/ZGsRXuc9aV9st6S+sq8vDXd44dZrFYFFwAS4LbBan3Nzc
wTZOb0s9xz0N6ZqTks3+tvUCgYEAlBVOqAi8DwyHoS74Jwj5CGNnOHxZ+JpIDY7Z
lHNFFVXAVwwm51TPkt/b036vd3uceUi2f23YqNy7u0SXnsLmRPSrSvb7p70X0xWh
A9laVmZ9tVGHAlEUnzpm47tu1mw2SLv19oiC9RFMYehqjn99alKcc3+Dk3D3xZpC
4CE4vPECgYEAsgroShv94iuGIrSGeOytp0H3ZeDaE75YodcEfXYGXXbsqLZyr8q5
oX7zvpc3kLgp7mfCcGg4vQCz0HpOW2i9miJoEe9xbNrQvG1MXmqFM520BNumu+cF
Db0sk6yn3104hgLmfUzdJ1CQZTlnEz9KvYdmwCYVy4HzB38qqLZBTNo=
-----END RSA PRIVATE KEY-----
Converting it to PKCS#8 with OpenSSL did not work.
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt \
-in app.2024-08-02.private-key.pem \
-out app.2024-08-02.private-key-pkcs8.pem
In our case this error happened because there were repo-level Github Actions values that were overriding the org-level values, so rotating a private key at the org-level had no effect. The key exported directly from Github works with this action now.
I think we've figured out what's going on here!
We were able to reproduce this error by providing a valid app ID and a private key that do not match. Please double-check that you are using the correct app ID and a valid private key that belongs to that app.
We'd like to make the error more helpful for those that encounter this error in the future. Pull requests welcome! See https://github.com/octokit/auth-app.js/issues/375 for more information.
We were able to reproduce this error by providing a valid app ID and a private key that do not match. Please double-check that you are using the correct app ID and a valid private key that belongs to that app.
I came here to say I ran into this myself, where I had accidentally set the "installation ID" as the "app ID", and amending that fixed it. 🙈
In my case I was calling the "GET /app/installations/${installation_id}" endpoint, and converting from PKCS#1 to PKCS#8 was the solution.
That said... I've been successfully calling other endpoints with the PCKS#1 certificate without problem, and I find the inconsistency of this behaviour to be absolutely staggering. If GitHub wants to move to PCKS#8 as the default then might I suggest that they actually RETURN A CERTIFICATE IN THAT FORMAT when we generate one?
Conversion is not always readily accessible. For example, there are "serverless" cloud hosting providers that use a javascript engine without access to the full node.js crypt functionality, meaning that conversion requires a third party library that - as far as I can tell - simply doesn't exist, and of course openssl simply isn't available in that environment. If you should want to install multiple apps via manifests and don't have just the one (for which manual key conversion is less painful) then this starts to become a MAJOR issue.
@gr2m listed three conversion options, none of which are suitable
- Using an Online Private Key Converter (in an automated scenario? Could this be less secure?)
- Using Node.js (See above, not always available)
- Using OpenSSL (See above, not always available)
GitHub needs to do better. Much Much better.
I got this as well because I'd copied the wrong private key 🤦♂️ not sure if I'd been able to debug it without seeing this issue
In case someone else stumbles in here due to the "Not found" error.
In my case the Github Apps permission was not set to allow usage in all repositories, but you had to explicitly add which repositories it worked in.
I encountered a similar issue and resolved it by running this command:
cat my-app.private-key.pem | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2 > my-app.private-key-escaped.pem
This reformatted the private key correctly. I hope this helps!
I solved my issue by:
- created the application and installed on my profile, also downloaded the private key and then, converted it to the pkcs8 format using this command:
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt \
-in paleriquebot.2025-01-21.private-key.pem \
-out paleriquebot.2025-01-21.private-key-pkcs8.pem\n
This resulted in a key using the specified format:
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCj9ItKMT+doxho
nOjAmJPwdr+hJ/XBmG4hw00gfLYTn3T9fRqYSmBekqd3P7VfOg06q8vBbRq9l/TH
R/2RDL8DwQW/c7DR7ZIBZ3S+m8/CR61AFxPNUHjLgUXAWiRi4BExPGrWlesuTPqM
6GPgjAWKleked02VZYBnuBWFgHdbGDF3qCq91u5MBWj/wE47rslYfQEBNbjy2N6P
2wM1u3REJ8o6Ek1YMC/CrNzrqtz66nvx8CERZjheEqZA8Q4ZU4XcyCXqFX2Tc0um
(...)
W8aNFs90bvc/Z3hWShTy7qliLE5VxfaISHGaO1PTzzMXm+mvpocuLoAMpjzptnr2
s1Xf+87IhBSsqB3/oNAIfqPyXT6lW0jpQERrf6HTAoGBAIPIY333gn3wlnD4kNXC
B6mbwTrYkueNMvn1e4+B017rjCSP2BZewuu25mwOFBHhHvvC3fBLz+XgPeqco9nf
S4La3Idej+rj3E+ykrmJe/LPt8Bym8iCHezy/XkhDSMWsh9O1fCJwXLlcYSeY7gO
ByYJP5+pDozsFkcep0LvkTxg
-----END PRIVATE KEY-----
Then I copied everything, including the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- parts, and pasted on my secret that is used by Github actions.
This step above is important (to copy the entire key), if you copy just what is in between it will fail!
This solved my issue.
I solved my issue by:
- created the application and installed on my profile, also downloaded the private key and then, converted it to the pkcs8 format using this command:
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt
-in paleriquebot.2025-01-21.private-key.pem
-out paleriquebot.2025-01-21.private-key-pkcs8.pem\n This resulted in a key using the specified format:-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCj9ItKMT+doxho nOjAmJPwdr+hJ/XBmG4hw00gfLYTn3T9fRqYSmBekqd3P7VfOg06q8vBbRq9l/TH R/2RDL8DwQW/c7DR7ZIBZ3S+m8/CR61AFxPNUHjLgUXAWiRi4BExPGrWlesuTPqM 6GPgjAWKleked02VZYBnuBWFgHdbGDF3qCq91u5MBWj/wE47rslYfQEBNbjy2N6P 2wM1u3REJ8o6Ek1YMC/CrNzrqtz66nvx8CERZjheEqZA8Q4ZU4XcyCXqFX2Tc0um (...) W8aNFs90bvc/Z3hWShTy7qliLE5VxfaISHGaO1PTzzMXm+mvpocuLoAMpjzptnr2 s1Xf+87IhBSsqB3/oNAIfqPyXT6lW0jpQERrf6HTAoGBAIPIY333gn3wlnD4kNXC B6mbwTrYkueNMvn1e4+B017rjCSP2BZewuu25mwOFBHhHvvC3fBLz+XgPeqco9nf S4La3Idej+rj3E+ykrmJe/LPt8Bym8iCHezy/XkhDSMWsh9O1fCJwXLlcYSeY7gO ByYJP5+pDozsFkcep0LvkTxg -----END PRIVATE KEY-----Then I copied everything, including the
-----BEGIN PRIVATE KEY-----and-----END PRIVATE KEY-----parts, and pasted on my secret that is used by Github actions.This step above is important (to copy the entire key), if you copy just what is in between it will fail!
This solved my issue.
Thanks! worked for me.
I solved my issue by:
- created the application and installed on my profile, also downloaded the private key and then, converted it to the pkcs8 format using this command:
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt
-in paleriquebot.2025-01-21.private-key.pem
-out paleriquebot.2025-01-21.private-key-pkcs8.pem\n This resulted in a key using the specified format:-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCj9ItKMT+doxho nOjAmJPwdr+hJ/XBmG4hw00gfLYTn3T9fRqYSmBekqd3P7VfOg06q8vBbRq9l/TH R/2RDL8DwQW/c7DR7ZIBZ3S+m8/CR61AFxPNUHjLgUXAWiRi4BExPGrWlesuTPqM 6GPgjAWKleked02VZYBnuBWFgHdbGDF3qCq91u5MBWj/wE47rslYfQEBNbjy2N6P 2wM1u3REJ8o6Ek1YMC/CrNzrqtz66nvx8CERZjheEqZA8Q4ZU4XcyCXqFX2Tc0um (...) W8aNFs90bvc/Z3hWShTy7qliLE5VxfaISHGaO1PTzzMXm+mvpocuLoAMpjzptnr2 s1Xf+87IhBSsqB3/oNAIfqPyXT6lW0jpQERrf6HTAoGBAIPIY333gn3wlnD4kNXC B6mbwTrYkueNMvn1e4+B017rjCSP2BZewuu25mwOFBHhHvvC3fBLz+XgPeqco9nf S4La3Idej+rj3E+ykrmJe/LPt8Bym8iCHezy/XkhDSMWsh9O1fCJwXLlcYSeY7gO ByYJP5+pDozsFkcep0LvkTxg -----END PRIVATE KEY-----Then I copied everything, including the
-----BEGIN PRIVATE KEY-----and-----END PRIVATE KEY-----parts, and pasted on my secret that is used by Github actions.This step above is important (to copy the entire key), if you copy just what is in between it will fail!
This solved my issue.
Just saved me hours of debugging. You. are. amazing.
I think we've figured out what's going on here!
We were able to reproduce this error by providing a valid app ID and a private key that do not match. Please double-check that you are using the correct app ID and a valid private key that belongs to that app.
We'd like to make the error more helpful for those that encounter this error in the future. Pull requests welcome! See octokit/auth-app.js#375 for more information.
jfc thank you so much. Ive been debugging for hours lol. I had a dev version of the app and a prod version and I had the ids mixed up.
In my case, I should specify the client ID instead of the App ID. I wasted almost 3 hours because of this!
In my case, I should specify the client ID instead of the App ID. I wasted almost 3 hours because of this!
Are you sure? Either should work at this point.
This is the popular thread for this error message, so I wanted to put my situation even though it's not in a Github action.
If you are using JS SDKs, you can get this message by trying to use the Github app installation token for auth instead of the private key for auth. Seems obvious but easy mixup.
