Update Secrets via GitHub Actions

By Madis Kõosaar
github-actions ci/cd GitHub-App Azure instagram

Automate Refreshing Instagram Auth Token in Azure Web App and GitHub Repository Secrets Using GitHub Actions

Managing access tokens is a critical part of any application interacting with third-party APIs, including Instagram’s Graph API. Instagram access tokens, particularly long-lived ones, eventually expire and need refreshing. Automating this process ensures uninterrupted service while reducing manual intervention.

In this post, we’ll explore how to automate the process of refreshing Instagram access tokens and updating them in both Azure Web App configuration and GitHub repository secrets using GitHub Actions.

Why Automate Instagram Token Refresh?

Instagram’s API tokens have a limited lifespan, even long-lived tokens that last about 60 days. Regularly updating these tokens in your application environment and CI/CD workflows is vital. Automation offers several benefits:

  • Reduces manual errors during token updates.
  • Ensures continuous application functionality.
  • Saves time and effort, especially for production systems.

Overview of the Automation Process

The automated workflow will:

  1. Refresh the Instagram access token using the Instagram Graph API.
  2. Update the refreshed token in Azure Web App configuration.
  3. Update the refreshed token in GitHub repository secrets.

This will be achieved using a scheduled GitHub Actions workflow.

Prerequisites

Before setting up the automation, ensure you have:

  • An existing Azure Web App for hosting your application.
    • Azure Service principal credentials for authenticating with Azure.
  • Access to the Instagram API with an existing long-lived token.
  • A GitHub repository with your application code.

Step 1: Create a GitHub Actions Workflow for Automation

GitHub Actions provides a flexible environment for automating tasks. We’ll create a workflow that runs periodically to refresh and update the Instagram token.

Workflow File: .github/workflows/refresh-token.yml

name: Refresh Instagram Auth Token

on:
  schedule:
    - cron: '0 0 * * 1' # Runs every Monday at midnight
  workflow_dispatch: # Allows manual triggering

jobs:
  refresh-token:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout Repository
      uses: actions/checkout@v4

    - name: Refresh Instagram Access Token
      run: |
        response=$(curl -s -X GET "https://graph.instagram.com/refresh_access_token?grant_type=ig_refresh_token&access_token=${{ secrets.INSTAGRAM_ACCESS_TOKEN }}" 
        expires_in=$(echo $response | jq '.expires_in')
        expires_in_days=$(echo "$expires_in / 86400" | bc)
        echo "Token expires in $expires_in_days days"
        token=$(echo $response | jq -r '.access_token')
        echo "token=$token" >> $GITHUB_OUTPUT

    - name: Login to Azure
        uses: azure/login@v2
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

    - name: Update Azure Web App configuration
        uses: Azure/appservice-settings@v1
        with:
          app-name: '${{ secrets.AZURE_WEBAPP_NAME }}'
          app-settings-json: |
            [
              {
                "name": Instagram__AccessToken",
                "value": "${{ steps.renew.outputs.token }}",
                "slotSetting": false
              }
            ]      
    - name: Get GitHub App token
      uses: actions/create-github-app-token@v1
      id: app-token
      with:
        app-id: ${{ secrets.GH_APP_ID }}
        private-key: ${{ secrets.APP_PRIVATE_KEY }}

    - name: Update GitHub Repository Secret
      run: |
          gh secret set INSTA_TOKEN --body "${{ steps.renew.outputs.token }}" --repo ${{ github.repository }}
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}

Step 2: Create and Configure GitHub App to update repository secrets

GitHub Apps provide an efficient way to interact with GitHub’s API securely. If you need to manage repository secrets programmatically, you can configure a GitHub App with the necessary permissions. Here’s how to do it:

1: Create a GitHub App

  1. Navigate to GitHub Settings
    Go to your GitHub account or organization settings and select Developer settings.

  2. Select “GitHub Apps”
    In the left sidebar, click on GitHub Apps and then click New GitHub App.

  3. Fill in App Details
    • App Name: Enter a unique name for your GitHub App.
    • Homepage URL: Provide a URL for your app (e.g., your project’s site or repo).
    • Callback URL: Add a valid callback URL if your app uses OAuth (optional for this use case).
  4. Permissions:
    • Under Repository permissions, set the following:
      • Secrets: Select Read and write.

  1. Events (Optional):
    • Enable events like workflow_run if you need to monitor workflows.
  2. Save and Generate Keys
    • Save the app and download the private key for authentication. This key will need to be saved in the repository secrets to retrive the GitHub App Token.

Read more about GitHub Apps

2: Install the GitHub App

  1. After creating the app, click Install App under the app’s settings.
  2. Choose the repository or organization where the app should have access.
  3. Complete the installation.

3: Authenticate the GitHub App

In our workflow we are using the private key and App ID to authenticate the app and obtain an access token for accessing repository secrets. To simplify this process, we can use the create-github-app-token action to generate the token.

...
- name: Get GitHub App token
      uses: actions/create-github-app-token@v1
      id: app-token
      with:
        app-id: ${{ secrets.GH_APP_ID }}
        private-key: ${{ secrets.APP_PRIVATE_KEY }}
...

Step 3: Configure GitHub Secrets

Add the following secrets to your GitHub repository:

  1. INSTAGRAM_ACCESS_TOKEN: Your existing Instagram access token.
  2. AZURE_WEBAPP_NAME: Name of your Azure Web App.
  3. AZURE_CREDENTIALS: Azure service principal credentials.
  4. GH_APP_ID: GitHub App ID.
  5. APP_PRIVATE_KEY: GitHub App private key.

Step 4: Verify the Workflow

  1. Push the .yml file to your GitHub repository.
  2. Wait for the scheduled run or trigger the workflow manually.
  3. Check the workflow logs to ensure the token was refreshed and updated successfully.

Step 5: Monitor and Maintain

  • Log Monitoring: Use GitHub Actions logs to monitor the status of the workflow.
  • Azure Monitoring: Ensure the token updates are reflected in your Azure Web App settings.
  • Debugging: If the workflow fails, review error messages and ensure API permissions are correctly configured.

Conclusion

By automating the process of refreshing Instagram access tokens and updating them in Azure Web App and GitHub repository secrets, you can streamline token management and reduce downtime. Using GitHub Actions provides a seamless way to implement this automation, ensuring your application runs smoothly with minimal manual intervention.

Implement this solution today to save time and maintain uninterrupted access to Instagram’s API!