coder · f0ssel · May 2, 2024 · Apr 26, 2024 · Apr 27, 2024 · Apr 27, 2024
diff --git a/.icons/github.svg b/.icons/github.svg
diff --git a/github-upload-public-key/README.md b/github-upload-public-key/README.md
@@ -0,0 +1,34 @@
+---
+display_name: Github Upload Public Key
+description: Automates uploading Coder public key to Github so users don't have to.
+icon: ../.icons/github.svg
+maintainer_github: f0ssel
+verified: true
+tags: [helper, git]
+---
+
+# github-upload-public-key
+
+Templates that utilize Github External Auth can automatically ensure that the Coder public key is uploaded to Github so that users can clone repositories without needing to upload the public key themselves.
+
+```tf
+module "github-upload-public-key" {
+  source   = "registry.coder.com/modules/github-upload-public-key/coder"
+  version  = "1.0.13"
+  agent_id = coder_agent.example.id
+}
+```
+
+# Requirements
+
+Github External Auth must be enabled in the workspace for this module to work. The Github app that is configured for external auth must have both read and write permissions to "Git SSH keys" in order to upload the public key. Additionally, a Coder admin must also have the `admin:public_key` scope added to the external auth configuration of the Coder deployment. For example:
+
+```
+CODER_EXTERNAL_AUTH_0_ID="USER_DEFINED_ID"
+CODER_EXTERNAL_AUTH_0_TYPE=github
+CODER_EXTERNAL_AUTH_0_CLIENT_ID=xxxxxx
+CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=xxxxxxx
+CODER_EXTERNAL_AUTH_0_SCOPES="repo,workflow,admin:public_key"
+```
+
+Note that the default scopes if not provided are `repo,workflow`.
diff --git a/github-upload-public-key/main.tf b/github-upload-public-key/main.tf
@@ -0,0 +1,26 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 0.12"
+    }
+  }
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+resource "coder_script" "github_upload_public_key" {
+  agent_id = var.agent_id
+  script = templatefile("${path.module}/run.sh", {
+    CODER_OWNER_SESSION_TOKEN : data.coder_workspace.me.owner_session_token,
+    CODER_ACCESS_URL          : data.coder_workspace.me.access_url,
+  })
+  display_name       = "Github Upload Public Key"
+  icon               = "/icon/github.svg"
+  run_on_start       = true
+}
diff --git a/github-upload-public-key/run.sh b/github-upload-public-key/run.sh
@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+
+set -e
+
+CODER_ACCESS_URL="${CODER_ACCESS_URL}"
+CODER_OWNER_SESSION_TOKEN="${CODER_OWNER_SESSION_TOKEN}"
+
+if [ -z "$CODER_ACCESS_URL" ]; then
+  echo "No coder access url specified!"
+  exit 1
+fi
+
+if [ -z "$CODER_OWNER_SESSION_TOKEN" ]; then
+  echo "No coder owner session token specified!"
+  exit 1
+fi
+
+echo "Fetching GitHub token..."
+GITHUB_TOKEN=$(coder external-auth access-token github)
+if [ $? -ne 0 ]; then
+  echo "Failed to fetch GitHub token!"
+  exit 1
+fi
+if [ -z "$GITHUB_TOKEN" ]; then
+  echo "No GitHub token found!"
+  exit 1
+fi
+echo "GitHub token found!"
+
+echo "Fetching Coder public SSH key..."
+PUBLIC_KEY_RESPONSE=$(curl -L -s \
+  -w "%{http_code}" \
+  -H 'accept: application/json' \
+  -H "cookie: coder_session_token=$CODER_OWNER_SESSION_TOKEN" \
+  "$CODER_ACCESS_URL/api/v2/users/me/gitsshkey"
+)
+PUBLIC_KEY_RESPONSE_STATUS=$(tail -n1 <<< "$PUBLIC_KEY_RESPONSE")
+PUBLIC_KEY_BODY=$(sed \$d <<< "$PUBLIC_KEY_RESPONSE")
+
+if [ "$PUBLIC_KEY_RESPONSE_STATUS" -ne 200 ]; then
+  echo "Failed to fetch Coder public SSH key with status code $PUBLIC_KEY_RESPONSE_STATUS!"
+  echo "$PUBLIC_KEY_BODY"
+  exit 1
+fi
+
+PUBLIC_KEY=$(jq -r '.public_key' <<< "$PUBLIC_KEY_BODY")
+echo "Coder public SSH key found!"
+
+if [ -z "$PUBLIC_KEY" ]; then
+  echo "No Coder public SSH key found!"
+  exit 1
+fi
+
+echo "Fetching GitHub public SSH keys..."
+GITHUB_KEYS_RESPONSE=$(curl -L -s \
+  -w "%{http_code}" \
+  -H "Accept: application/vnd.github+json" \
+  -H "Authorization: Bearer $GITHUB_TOKEN" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  https://api.github.com/user/keys
+)
+GITHUB_KEYS_RESPONSE_STATUS=$(tail -n1 <<< "$GITHUB_KEYS_RESPONSE")
+GITHUB_KEYS_RESPONSE_BODY=$(sed \$d <<< "$GITHUB_KEYS_RESPONSE")
+
+if [ "$GITHUB_KEYS_RESPONSE_STATUS" -ne 200 ]; then
+  echo "Failed to fetch Coder public SSH key with status code $GITHUB_KEYS_RESPONSE_STATUS!"
+  echo "$GITHUB_KEYS_RESPONSE_BODY"
+  exit 1
+fi
+
+GITHUB_MATCH=$(jq -r --arg PUBLIC_KEY "$PUBLIC_KEY" '.[] | select(.key == $PUBLIC_KEY) | .key' <<< "$GITHUB_KEYS_RESPONSE_BODY")
+
+if [ "$PUBLIC_KEY" = "$GITHUB_MATCH" ]; then
+  echo "Coder public SSH key is already uploaded to GitHub!"
+  exit 0
+fi
+
+echo "Coder public SSH key not found in GitHub keys!"
+echo "Uploading Coder public SSH key to GitHub..."
+CODER_PUBLIC_KEY_NAME="$CODER_ACCESS_URL Workspaces"
+UPLOAD_RESPONSE=$(curl -L -s \
+  -X POST \
+  -w "%{http_code}" \
+  -H "Accept: application/vnd.github+json" \
+  -H "Authorization: Bearer $GITHUB_TOKEN" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  https://api.github.com/user/keys \
+  -d "{\"title\":\"$CODER_PUBLIC_KEY_NAME\",\"key\":\"$PUBLIC_KEY\"}"
+)
+UPLOAD_RESPONSE_STATUS=$(tail -n1 <<< "$UPLOAD_RESPONSE")
+UPLOAD_RESPONSE_BODY=$(sed \$d <<< "$UPLOAD_RESPONSE")
+
+if [ "$UPLOAD_RESPONSE_STATUS" -ne 201 ]; then
+  echo "Failed to upload Coder public SSH key with status code $UPLOAD_RESPONSE_STATUS!"
+  echo "$UPLOAD_RESPONSE_BODY"
+  exit 1
+fi
+
+echo "Coder public SSH key uploaded to GitHub!"