joshjohanning · joshjohanning · Oct 21, 2025 · Oct 21, 2025 · Oct 21, 2025 · Oct 21, 2025
diff --git a/gh-cli/github-app-manifest-form.html b/gh-cli/github-app-manifest-form.html
@@ -0,0 +1,155 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>GitHub App Manifest Test</title>
+    <style>
+        body { font-family: Arial, sans-serif; max-width: 800px; margin: 50px auto; padding: 20px; }
+        .container { background: #f6f8fa; padding: 20px; border-radius: 8px; border: 1px solid #d1d9e0; }
+        textarea { width: 100%; height: 300px; font-family: monospace; }
+        button { background: #2ea043; color: white; padding: 10px 20px; border: none; border-radius: 6px; cursor: pointer; }
+        button:hover { background: #2c974b; }
+        .warning { background: #fff3cd; border: 1px solid #ffeaa7; padding: 10px; border-radius: 4px; margin: 10px 0; }
+        .info { background: #d1ecf1; border: 1px solid #bee5eb; padding: 10px; border-radius: 4px; margin: 10px 0; }
+        .success { background: #d4edda; border: 1px solid #c3e6cb; padding: 10px; border-radius: 4px; margin: 10px 0; }
+        .code-block { background: #f1f3f4; border: 1px solid #d1d5da; padding: 15px; border-radius: 6px; font-family: monospace; white-space: pre-wrap; margin: 10px 0; }
+        .hidden { display: none; }
+        details { margin: 10px 0; }
+        summary { cursor: pointer; font-weight: bold; padding: 5px; }
+        .dropdown-content { padding: 10px; background: #f8f9fa; border-radius: 4px; margin-top: 5px; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <h1>GitHub App Manifest Test</h1>
+
+        <div class="info">
+            <strong>What happens next:</strong>
+            <ol>
+                <li>Start a local server (see instructions below)</li>
+                <li>Click "Create GitHub App" below</li>
+                <li>GitHub will redirect you to review and create the app</li>
+                <li>After creation, GitHub redirects back with a temporary code</li>
+                <li>The code will be automatically displayed and you can copy it</li>
+            </ol>
+        </div>
+
+        <details>
+            <summary>🚀 How to start local server (click to expand)</summary>
+            <div class="dropdown-content">
+                <p>Before using this form, you need to serve this HTML file over HTTP. Run one of these commands in the directory containing this file:</p>
+                <div class="code-block">
+# Python 3
+python3 -m http.server 8000
+
+# Python 2
+python -m SimpleHTTPServer 8000
+
+# Node.js (if you have npx)
+npx http-server -p 8000
+
+# PHP
+php -S localhost:8000
+                </div>
+                <p>Then open: <strong>http://localhost:8000/github-app-manifest-form.html</strong></p>
+            </div>
+        </details>
+
+        <details>
+            <summary>⚠️ Important Notes (click to expand)</summary>
+            <div class="dropdown-content">
+                <div class="warning">
+                    <ul>
+                        <li><strong>This will create a real GitHub App!</strong> Make sure you understand what you're doing.</li>
+                        <li>The app will be created for organization 'joshjohanning-org'.</li>
+                        <li>You can delete the app later from GitHub's settings if needed.</li>
+                        <li>Make sure you're accessing this page via http://localhost:8000, not file://</li>
+                    </ul>
+                </div>
+            </div>
+        </details>
+
+        <!-- Success message when code is received -->
+        <div id="success-message" class="success hidden">
+            <strong>Success!</strong> Received the manifest code from GitHub:
+            <div class="code-block" id="manifest-code"></div>
+            <p>You can now use this code with the script:</p>
+            <div class="code-block" id="script-command"></div>
+        </div>
+
+        <form action="https://github.com/organizations/joshjohanning-org/settings/apps/new?state=abc123" method="post">
+            <h3>App Manifest Configuration:</h3>
+            <textarea name="manifest" id="manifest" readonly></textarea>
+            <br><br>
+            <button type="submit">Create GitHub App from Manifest</button>
+        </form>
+
+        <details>
+            <summary>📋 How to use the manifest code (click to expand)</summary>
+            <div class="dropdown-content">
+                <p>Once you get the code back from GitHub, you can use it with the conversion script:</p>
+                <div class="code-block">./create-github-app-from-manifest.sh YOUR_CODE_HERE</div>
+                <p>Or manually with gh CLI:</p>
+                <div class="code-block">gh api \
+  --method POST \
+  -H "Accept: application/vnd.github+json" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  /app-manifests/YOUR_CODE_HERE/conversions</div>
+            </div>
+        </details>
+    </div>
+
+    <script>
+        // Determine the current URL - use localhost if we're on a local server
+        let redirectUrl = 'http://localhost:8000/github-app-manifest-form.html';
+
+        // If we're already on a proper HTTP server, use the current location
+        if (window.location.protocol === 'http:' || window.location.protocol === 'https:') {
+            redirectUrl = window.location.href.split('?')[0]; // Remove any existing query params
+        }
+
+        // Sample manifest configuration
+        const manifest = {
+            "name": "Test App from Manifest",
+            "url": "https://www.example.com",
+            "hook_attributes": {
+                "url": "https://example.com/github/events"
+            },
+            "redirect_url": redirectUrl,
+            "callback_urls": [
+                redirectUrl
+            ],
+            "public": false,
+            "default_permissions": {
+                "metadata": "read",
+                "contents": "read",
+                "issues": "write"
+            },
+            "default_events": [
+                "issues",
+                "issue_comment",
+                "push"
+            ]
+        };
+
+        // Populate the textarea with the manifest JSON
+        document.getElementById('manifest').value = JSON.stringify(manifest, null, 2);
+
+        // Check if we're returning from GitHub with a code
+        window.addEventListener('load', function() {
+            const urlParams = new URLSearchParams(window.location.search);
+            const code = urlParams.get('code');
+            const state = urlParams.get('state');
+
+            if (code) {
+                // Show success message
+                document.getElementById('success-message').classList.remove('hidden');
+                document.getElementById('manifest-code').textContent = code;
+                document.getElementById('script-command').textContent = `./create-github-app-from-manifest.sh ${code}`;
+
+                // Scroll to success message
+                document.getElementById('success-message').scrollIntoView({ behavior: 'smooth' });
+            }
+        });
+    </script>
+</body>
+</html>
diff --git a/scripts/README.md b/scripts/README.md
@@ -36,15 +36,7 @@ Configuration values to change in the script:
 
 Migrate work items from Azure DevOps to GitHub issues - this just links out to a [separate repo](https://github.com/joshjohanning/ado_workitems_to_github_issues)
 
-## delete-branch-protection-rules.ps1
-
-Delete branch protection rules programmatically based on a pattern.
-
-## gei-clean-up-azure-storage-account.sh
-
-Clean up Azure Storage Account Containers from GEI migrations.
-
-## get-app-jwt.py
+## create-app-jwt.py
 
 This script will generate a JWT for a GitHub App. It will use the private key and app ID from the GitHub App's settings page.
 
@@ -55,6 +47,29 @@ This script will generate a JWT for a GitHub App. It will use the private key an
 
 Script sourced from [GitHub docs](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#example-using-python-to-generate-a-jwt).
 
+## create-app-jwt.sh
+
+Generate a JWT (JSON Web Token) for a GitHub App using bash. This is a shell script alternative to `create-app-jwt.py`.
+
+Usage:
+
+```bash
+./create-app-jwt.sh <client-id> <path-to-private-key.pem>
+```
+
+The script generates a JWT that is valid for 10 minutes, which can be used to authenticate as a GitHub App and obtain installation tokens.
+
+> [!NOTE]
+> Requires `openssl` to be installed. The JWT can be used with the GitHub API to generate installation access tokens.
+
+## delete-branch-protection-rules.ps1
+
+Delete branch protection rules programmatically based on a pattern.
+
+## gei-clean-up-azure-storage-account.sh
+
+Clean up Azure Storage Account Containers from GEI migrations.
+
 ## get-app-tokens-for-each-installation.sh
 
 This script will generate generate a JWT for a GitHub app and use that JWT to generate installation tokens for each org installation. The installation tokens, returned as `ghs_abc`, can then be used for normal API calls. It will use the private key and app ID from the GitHub App's settings page and the `get-app-jwt.py` script to generate the JWT, and then use the JWT to generate the installation tokens for each org installation.
@@ -94,6 +109,26 @@ My use case is to use this list to determine who needs to be added to a organiza
 1. Run: `./new-users-to-add-to-project.sh <org> <repo> <file>`
 2. Don't delete the `<file>` as it functions as your user database
 
+## github-app-manifest-scripts
+
+Scripts to create GitHub Apps using the [GitHub App Manifest flow](https://docs.github.com/en/apps/sharing-github-apps/registering-a-github-app-from-a-manifest). The manifest flow allows you to create a GitHub App by posting a JSON manifest to GitHub, which then generates the app credentials.
+
+**Workflow:**
+
+1. **Generate HTML form**: Run `generate-github-app-manifest-form.sh [organization]` to create an HTML file
+2. **Start local server**: Serve the HTML file (e.g., `python3 -m http.server 8000`)
+3. **Create app via browser**: Open the form, submit it to GitHub, and get redirected back with a manifest code
+4. **Convert manifest code**: Use `create-github-app-from-manifest.sh` to convert the code into app credentials
+
+**Scripts:**
+
+- **generate-github-app-manifest-form.sh**: Generates an HTML form for the manifest flow
+- **create-github-app-from-manifest.sh**: Converts manifest code into app credentials with detailed output and error handling
+- **github-app-manifest-form-example.html**: Example HTML form (generated output)
+
+> [!NOTE]
+> Requires `curl`, `jq`, and a classic GitHub personal access token (`ghp_*`). Fine-grained tokens are not supported for the manifest conversion endpoint.
+
 ## migrate-discussions
 
 See: [migrate-discussions](./migrate-discussions/README.md)

diff --git a/scripts/get-app-jwt.py → scripts/create-app-jwt.py b/scripts/get-app-jwt.py → scripts/create-app-jwt.py
diff --git a/scripts/create-app-jwt.sh b/scripts/create-app-jwt.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+client_id=$1 # Client ID as first argument
+
+pem=$( cat $2 ) # file path of the private key as second argument
+
+now=$(date +%s)
+iat=$((${now} - 60)) # Issues 60 seconds in the past
+exp=$((${now} + 600)) # Expires 10 minutes in the future
+
+b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
+
+header_json='{
+    "typ":"JWT",
+    "alg":"RS256"
+}'
+# Header encode
+header=$( echo -n "${header_json}" | b64enc )
+
+payload_json="{
+    \"iat\":${iat},
+    \"exp\":${exp},
+    \"iss\":\"${client_id}\"
+}"
+# Payload encode
+payload=$( echo -n "${payload_json}" | b64enc )
+
+# Signature
+header_payload="${header}"."${payload}"
+signature=$(
+    openssl dgst -sha256 -sign <(echo -n "${pem}") \
+    <(echo -n "${header_payload}") | b64enc
+)
+
+# Create JWT
+JWT="${header_payload}"."${signature}"
+printf '%s\n' "$JWT"