Compare commits

..

7 Commits

Author SHA1 Message Date
semantic-release-bot d28ad69b67 build(release): 3.0.0-beta.3 [skip ci]
# [3.0.0-beta.3](https://github.com/actions/create-github-app-token/compare/v3.0.0-beta.2...v3.0.0-beta.3) (2026-03-13)

### Bug Fixes

* require `NODE_USE_ENV_PROXY` for proxy support ([#342](https://github.com/actions/create-github-app-token/issues/342)) ([54e58b6](https://github.com/actions/create-github-app-token/commit/54e58b612c0c4e52564c3c87486532017ad95b22))
2026-03-13 06:19:27 +00:00
Parker Brown 54e58b612c fix: require NODE_USE_ENV_PROXY for proxy support (#342)
This PR switches proxy support to Node's native env-proxy handling and
makes the required configuration explicit.

## What changed

- fail fast in both `main` and `post` when proxy configuration is
present without `NODE_USE_ENV_PROXY=1`
- document the supported proxy configuration in `README.md`
- add regression tests for the proxy guard in both entrypoints
- keep the existing successful end-to-end coverage and add a smaller
proxy-specific workflow check that enables native proxy support, points
`https_proxy` at an unreachable proxy, and asserts the action fails
- update the test workflow so the same checks also run on pushes to
`beta`

## Proxy configuration

When using `HTTP_PROXY` or `HTTPS_PROXY`, set `NODE_USE_ENV_PROXY=1` on
the action step. If you need bypass rules, set `NO_PROXY` alongside
them.

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-12 23:18:56 -07:00
semantic-release-bot bf559f8544 build(release): 3.0.0-beta.2 [skip ci]
# [3.0.0-beta.2](https://github.com/actions/create-github-app-token/compare/v3.0.0-beta.1...v3.0.0-beta.2) (2025-08-22)

### Bug Fixes

* remove custom proxy handling ([#143](https://github.com/actions/create-github-app-token/issues/143)) ([cda91bf](https://github.com/actions/create-github-app-token/commit/cda91bf2b93cf1d3306b458b2a4f7fcd9de9175f)), closes [#134](https://github.com/actions/create-github-app-token/issues/134)
2025-08-22 19:16:51 +00:00
Parker Brown cda91bf2b9 fix: remove custom proxy handling (#143)
Undici has added native support for proxy handling, so it is no longer necessary for us to have our own custom proxy handling.

Reverts #102 and resolves #134.
2025-08-22 12:16:16 -07:00
Parker Brown 2ae58da528 Disable semantic-release-plugin-github-breaking-version-tag
https://github.com/gr2m/semantic-release-plugin-update-version-in-files/issues/52
2025-08-15 13:03:02 -07:00
semantic-release-bot fb1c7fda2b build(release): 3.0.0-beta.1 [skip ci]
# [3.0.0-beta.1](https://github.com/actions/create-github-app-token/compare/v2.1.1...v3.0.0-beta.1) (2025-08-15)

* feat!: node 24 support ([#275](https://github.com/actions/create-github-app-token/issues/275)) ([6178938](https://github.com/actions/create-github-app-token/commit/61789386cb26150ab580cab449a9ae053bb9fd24))

### BREAKING CHANGES

* Requires [Actions Runner v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) or later if you are using a self-hosted runner.
2025-08-15 19:55:36 +00:00
Salman Chishti 61789386cb feat!: node 24 support (#275)
BREAKING CHANGE: Requires [Actions Runner v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) or later if you are using a self-hosted runner.

---------

Co-authored-by: Parker Brown <17183625+parkerbxyz@users.noreply.github.com>
2025-08-15 12:55:04 -07:00
29 changed files with 23671 additions and 75550 deletions
@@ -12,6 +12,6 @@ jobs:
id-token: write
packages: write
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v5
- name: Publish Immutable Action
uses: actions/publish-immutable-action@v0.0.4
+3 -3
View File
@@ -18,14 +18,14 @@ jobs:
runs-on: ubuntu-latest
steps:
# build local version to create token
- uses: actions/checkout@v6
- uses: actions/checkout@v5
with:
persist-credentials: false
- uses: actions/setup-node@v6
- uses: actions/setup-node@v4
with:
node-version-file: package.json
cache: 'npm'
- run: npm ci
- run: npm run build
-34
View File
@@ -1,34 +0,0 @@
# This workflow warns and then closes issues that have had no activity for a specified amount of time.
# https://github.com/actions/stale
name: Stale
on:
workflow_dispatch:
schedule:
# 00:00 UTC on Mondays
- cron: '0 0 * * 1'
permissions:
issues: write
pull-requests: write
env:
DAYS_BEFORE_STALE: 180
DAYS_BEFORE_CLOSE: 60
STALE_LABEL: 'stale'
STALE_LABEL_URL: ${{github.server_url}}/${{github.repository}}/labels/stale
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v10
with:
operations-per-run: 100
days-before-stale: ${{ env.DAYS_BEFORE_STALE }}
days-before-close: ${{ env.DAYS_BEFORE_CLOSE }}
stale-issue-label: ${{ env.STALE_LABEL }}
stale-pr-label: ${{ env.STALE_LABEL }}
stale-issue-message: 'This issue has been marked ${{ env.STALE_LABEL_URL }} because it has been open for ${{ env.DAYS_BEFORE_STALE }} days with no activity. Please close this issue if it is no longer needed. If this issue is still relevant and you would like it to remain open, simply update it within the next ${{ env.DAYS_BEFORE_CLOSE }} days.'
stale-pr-message: 'This pull request has been marked ${{ env.STALE_LABEL_URL }} because it has been open for ${{ env.DAYS_BEFORE_STALE }} days with no activity. Please close this pull request if it is no longer needed. If this pull request is still relevant and you would like it to remain open, simply update it within the next ${{ env.DAYS_BEFORE_CLOSE }} days.'
+35 -8
View File
@@ -4,8 +4,8 @@ on:
push:
branches:
- main
- beta
pull_request:
merge_group:
workflow_dispatch:
concurrency:
@@ -17,28 +17,30 @@ permissions:
jobs:
integration:
name: integration
name: Integration
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v5
- uses: actions/setup-node@v6
- uses: actions/setup-node@v4
with:
node-version-file: package.json
cache: 'npm'
- run: npm ci
- run: npm test
end-to-end:
name: end-to-end
name: End-to-End
runs-on: ubuntu-latest
# do not run from forks, as forks dont have access to repository secrets
if: github.event_name == 'merge_group' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
- uses: actions/checkout@v5
- uses: actions/setup-node@v4
with:
node-version-file: package.json
cache: 'npm'
- run: npm ci
- run: npm run build
- uses: ./ # Uses the action in the root directory
@@ -53,3 +55,28 @@ jobs:
with:
route: GET /installation/repositories
- run: echo '${{ steps.get-repository.outputs.data }}'
end-to-end-proxy:
name: End-to-End with unreachable proxy
runs-on: ubuntu-latest
# do not run from forks, as forks dont have access to repository secrets
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v4
with:
node-version-file: package.json
cache: 'npm'
- run: npm ci
- run: npm run build
- uses: ./ # Uses the action in the root directory
continue-on-error: true
id: test
env:
NODE_USE_ENV_PROXY: "1"
https_proxy: http://127.0.0.1:9
with:
app-id: ${{ vars.TEST_APP_ID }}
private-key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
- name: Assert action failed through unreachable proxy
run: test "${{ steps.test.outcome }}" = "failure"
+5 -14
View File
@@ -13,30 +13,21 @@ concurrency:
permissions:
contents: write
pull-requests: write
jobs:
update-permission-inputs:
runs-on: ubuntu-latest
env:
COMMIT_MESSAGE: 'feat: update permission inputs'
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
- uses: actions/checkout@v5
- uses: actions/setup-node@v4
with:
node-version-file: package.json
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run permission inputs update script
run: node scripts/update-permission-inputs.js
- name: Commit changes
id: auto-commit
uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
with:
commit_message: ${{ env.COMMIT_MESSAGE }}
- name: Update PR title
if: github.event_name == 'pull_request' && steps.auto-commit.outputs.changes_detected == 'true'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh pr edit ${{ github.event.pull_request.number }} --title "${{ env.COMMIT_MESSAGE }}"
commit_message: 'feat: update permission inputs'
-1
View File
@@ -1,4 +1,3 @@
.env
coverage
node_modules/
.DS_Store
+30 -41
View File
@@ -28,7 +28,7 @@ jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@v2
- uses: actions/create-github-app-token@v3
id: app-token
with:
app-id: ${{ vars.APP_ID }}
@@ -47,13 +47,13 @@ jobs:
auto-format:
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@v2
- uses: actions/create-github-app-token@v3
id: app-token
with:
# required
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ steps.app-token.outputs.token }}
ref: ${{ github.head_ref }}
@@ -73,7 +73,7 @@ jobs:
auto-format:
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@v2
- uses: actions/create-github-app-token@v3
id: app-token
with:
# required
@@ -98,7 +98,7 @@ jobs:
auto-format:
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@v2
- uses: actions/create-github-app-token@v3
id: app-token
with:
# required
@@ -135,7 +135,7 @@ jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@v2
- uses: actions/create-github-app-token@v3
id: app-token
with:
app-id: ${{ vars.APP_ID }}
@@ -157,7 +157,7 @@ jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@v2
- uses: actions/create-github-app-token@v3
id: app-token
with:
app-id: ${{ vars.APP_ID }}
@@ -182,7 +182,7 @@ jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@v2
- uses: actions/create-github-app-token@v3
id: app-token
with:
app-id: ${{ vars.APP_ID }}
@@ -195,28 +195,6 @@ jobs:
body: "Hello, World!"
```
### Create a token for an enterprise installation
```yaml
on: [workflow_dispatch]
jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@v2
id: app-token
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
enterprise-slug: my-enterprise-slug
- name: Call enterprise management REST API with gh
run: |
gh api /enterprises/my-enterprise-slug/apps/installable_organizations
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
```
### Create a token with specific permissions
> [!NOTE]
@@ -229,7 +207,7 @@ jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@v2
- uses: actions/create-github-app-token@v3
id: app-token
with:
app-id: ${{ vars.APP_ID }}
@@ -271,7 +249,7 @@ jobs:
owners-and-repos: ${{ fromJson(needs.set-matrix.outputs.matrix) }}
steps:
- uses: actions/create-github-app-token@v2
- uses: actions/create-github-app-token@v3
id: app-token
with:
app-id: ${{ vars.APP_ID }}
@@ -301,7 +279,7 @@ jobs:
steps:
- name: Create GitHub App token
id: create_token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@v3
with:
app-id: ${{ vars.GHES_APP_ID }}
private-key: ${{ secrets.GHES_APP_PRIVATE_KEY }}
@@ -318,6 +296,24 @@ jobs:
GITHUB_TOKEN: ${{ steps.create_token.outputs.token }}
```
### Proxy support
This action relies on Node.js native proxy support.
If you set `HTTP_PROXY` or `HTTPS_PROXY`, also set `NODE_USE_ENV_PROXY: "1"` on the action step so Node.js honors those variables. If you need proxy bypass rules, set `NO_PROXY` alongside them.
```yaml
- uses: actions/create-github-app-token@v3
id: app-token
env:
HTTPS_PROXY: http://proxy.example.com:8080
NO_PROXY: github.example.com
NODE_USE_ENV_PROXY: "1"
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
```
## Inputs
### `app-id`
@@ -340,7 +336,7 @@ steps:
echo "private-key=$private_key" >> "$GITHUB_OUTPUT"
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@v3
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ steps.decode.outputs.private-key }}
@@ -357,13 +353,6 @@ steps:
> [!NOTE]
> If `owner` is set and `repositories` is empty, access will be scoped to all repositories in the provided repository owner's installation. If `owner` and `repositories` are empty, access will be scoped to only the current repository.
### `enterprise-slug`
**Optional:** The slug of the enterprise to generate a token for enterprise-level app installations.
> [!NOTE]
> The `enterprise-slug` input is mutually exclusive with `owner` and `repositories`. GitHub Apps can be installed on enterprise accounts with permissions that let them call enterprise management APIs. Enterprise installations do not grant access to organization or repository resources.
### `permission-<permission name>`
**Optional:** The permissions to grant to the token. By default, the token inherits all of the installation's permissions. We recommend to explicitly list the permissions that are required for a use case. This follows GitHub's own recommendation to [control permissions of `GITHUB_TOKEN` in workflows](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token). The documentation also lists all available permissions, just prefix the permission key with `permission-` (e.g., `pull-requests``permission-pull-requests`).
+2 -9
View File
@@ -17,9 +17,6 @@ inputs:
repositories:
description: "Comma or newline-separated list of repositories to install the GitHub App on (defaults to current repository if owner is unset)"
required: false
enterprise-slug:
description: "Enterprise slug for enterprise-level app installations (cannot be used with 'owner' or 'repositories')"
required: false
skip-token-revoke:
description: "If true, the token will not be revoked when the current job is complete"
required: false
@@ -40,16 +37,12 @@ inputs:
description: "The level of permission to grant the access token to create, edit, delete, and list Codespaces. Can be set to 'read' or 'write'."
permission-contents:
description: "The level of permission to grant the access token for repository contents, commits, branches, downloads, releases, and merges. Can be set to 'read' or 'write'."
permission-custom-properties-for-organizations:
description: "The level of permission to grant the access token to view and edit custom properties for an organization, when allowed by the property. Can be set to 'read' or 'write'."
permission-dependabot-secrets:
description: "The level of permission to grant the access token to manage Dependabot secrets. Can be set to 'read' or 'write'."
permission-deployments:
description: "The level of permission to grant the access token for deployments and deployment statuses. Can be set to 'read' or 'write'."
permission-email-addresses:
description: "The level of permission to grant the access token to manage the email addresses belonging to a user. Can be set to 'read' or 'write'."
permission-enterprise-custom-properties-for-organizations:
description: "The level of permission to grant the access token for organization custom properties management at the enterprise level. Can be set to 'read', 'write', or 'admin'."
permission-environments:
description: "The level of permission to grant the access token for managing repository environments. Can be set to 'read' or 'write'."
permission-followers:
@@ -75,7 +68,7 @@ inputs:
permission-organization-custom-org-roles:
description: "The level of permission to grant the access token for custom organization roles management. Can be set to 'read' or 'write'."
permission-organization-custom-properties:
description: "The level of permission to grant the access token for repository custom properties management at the organization level. Can be set to 'read', 'write', or 'admin'."
description: "The level of permission to grant the access token for custom property management. Can be set to 'read', 'write', or 'admin'."
permission-organization-custom-roles:
description: "The level of permission to grant the access token for custom repository roles management. Can be set to 'read' or 'write'."
permission-organization-events:
@@ -139,6 +132,6 @@ outputs:
app-slug:
description: "GitHub App slug"
runs:
using: "node20"
using: "node24"
main: "dist/main.cjs"
post: "dist/post.cjs"
+11500 -37310
View File
File diff suppressed because one or more lines are too long
+11115 -37047
View File
File diff suppressed because one or more lines are too long
+42 -103
View File
@@ -4,7 +4,6 @@ import pRetry from "p-retry";
/**
* @param {string} appId
* @param {string} privateKey
* @param {string} enterpriseSlug
* @param {string} owner
* @param {string[]} repositories
* @param {undefined | Record<string, string>} permissions
@@ -16,70 +15,58 @@ import pRetry from "p-retry";
export async function main(
appId,
privateKey,
enterpriseSlug,
owner,
repositories,
permissions,
core,
createAppAuth,
request,
skipTokenRevoke,
skipTokenRevoke
) {
// Validate mutual exclusivity of enterprise-slug with owner/repositories
if (enterpriseSlug && (owner || repositories.length > 0)) {
throw new Error("Cannot use 'enterprise-slug' input with 'owner' or 'repositories' inputs");
}
let parsedOwner = "";
let parsedRepositoryNames = [];
// Skip owner/repository parsing if enterprise-slug is set
if (!enterpriseSlug) {
// If neither owner nor repositories are set, default to current repository
if (!owner && repositories.length === 0) {
const [owner, repo] = String(process.env.GITHUB_REPOSITORY).split("/");
parsedOwner = owner;
parsedRepositoryNames = [repo];
// If neither owner nor repositories are set, default to current repository
if (!owner && repositories.length === 0) {
const [owner, repo] = String(process.env.GITHUB_REPOSITORY).split("/");
parsedOwner = owner;
parsedRepositoryNames = [repo];
core.info(
`Inputs 'owner' and 'repositories' are not set. Creating token for this repository (${owner}/${repo}).`
);
}
core.info(
`Inputs 'owner' and 'repositories' are not set. Creating token for this repository (${owner}/${repo}).`
);
}
// If only an owner is set, default to all repositories from that owner
if (owner && repositories.length === 0) {
parsedOwner = owner;
// If only an owner is set, default to all repositories from that owner
if (owner && repositories.length === 0) {
parsedOwner = owner;
core.info(
`Input 'repositories' is not set. Creating token for all repositories owned by ${owner}.`
);
}
core.info(
`Input 'repositories' is not set. Creating token for all repositories owned by ${owner}.`
);
}
// If repositories are set, but no owner, default to `GITHUB_REPOSITORY_OWNER`
if (!owner && repositories.length > 0) {
parsedOwner = String(process.env.GITHUB_REPOSITORY_OWNER);
parsedRepositoryNames = repositories;
// If repositories are set, but no owner, default to `GITHUB_REPOSITORY_OWNER`
if (!owner && repositories.length > 0) {
parsedOwner = String(process.env.GITHUB_REPOSITORY_OWNER);
parsedRepositoryNames = repositories;
core.info(
`No 'owner' input provided. Using default owner '${parsedOwner}' to create token for the following repositories:${repositories
.map((repo) => `\n- ${parsedOwner}/${repo}`)
.join("")}`
);
}
core.info(
`No 'owner' input provided. Using default owner '${parsedOwner}' to create token for the following repositories:${repositories
.map((repo) => `\n- ${parsedOwner}/${repo}`)
.join("")}`
);
}
// If both owner and repositories are set, use those values
if (owner && repositories.length > 0) {
parsedOwner = owner;
parsedRepositoryNames = repositories;
// If both owner and repositories are set, use those values
if (owner && repositories.length > 0) {
parsedOwner = owner;
parsedRepositoryNames = repositories;
core.info(
`Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
core.info(
`Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
${repositories.map((repo) => `\n- ${parsedOwner}/${repo}`).join("")}`
);
}
} else {
core.info(`Creating enterprise installation token for enterprise "${enterpriseSlug}".`);
);
}
const auth = createAppAuth({
@@ -89,22 +76,9 @@ export async function main(
});
let authentication, installationId, appSlug;
// If enterprise-slug is set, get installation ID from the enterprise
if (enterpriseSlug) {
({ authentication, installationId, appSlug } = await pRetry(
() => getTokenFromEnterprise(request, auth, enterpriseSlug, permissions),
{
shouldRetry: (error) => error.status >= 500,
onFailedAttempt: (error) => {
core.info(
`Failed to create token for enterprise "${enterpriseSlug}" (attempt ${error.attemptNumber}): ${error.message}`
);
},
retries: 3,
}
));
} else if (parsedRepositoryNames.length > 0) {
// If at least one repository is set, get installation ID from that repository
if (parsedRepositoryNames.length > 0) {
({ authentication, installationId, appSlug } = await pRetry(
() =>
getTokenFromRepository(
@@ -115,12 +89,12 @@ export async function main(
permissions
),
{
shouldRetry: ({ error }) => error.status >= 500,
onFailedAttempt: (context) => {
shouldRetry: (error) => error.status >= 500,
onFailedAttempt: (error) => {
core.info(
`Failed to create token for "${parsedRepositoryNames.join(
","
)}" (attempt ${context.attemptNumber}): ${context.error.message}`
)}" (attempt ${error.attemptNumber}): ${error.message}`
);
},
retries: 3,
@@ -131,9 +105,9 @@ export async function main(
({ authentication, installationId, appSlug } = await pRetry(
() => getTokenFromOwner(request, auth, parsedOwner, permissions),
{
onFailedAttempt: (context) => {
onFailedAttempt: (error) => {
core.info(
`Failed to create token for "${parsedOwner}" (attempt ${context.attemptNumber}): ${context.error.message}`
`Failed to create token for "${parsedOwner}" (attempt ${error.attemptNumber}): ${error.message}`
);
},
retries: 3,
@@ -207,38 +181,3 @@ async function getTokenFromRepository(
return { authentication, installationId, appSlug };
}
async function getTokenFromEnterprise(request, auth, enterpriseSlug, permissions) {
// Get all installations and find the enterprise one
// https://docs.github.com/rest/apps/apps#list-installations-for-the-authenticated-app
// Note: Currently we do not have a way to get the installation for an enterprise directly,
// so as a workaround we need to list all installations and filter for the enterprise one.
const response = await request("GET /app/installations", {
request: {
hook: auth.hook,
},
});
// Find the enterprise installation
const enterpriseInstallation = response.data.find(
installation => installation.target_type === "Enterprise" &&
installation.account?.slug === enterpriseSlug
);
/* c8 ignore next 3 */
if (!enterpriseInstallation) {
throw new Error(`No enterprise installation found matching the name ${enterpriseSlug}. Available installations: ${response.data.map(i => `${i.target_type}:${i.account?.login || 'N/A'}`).join(', ')}`);
}
// Get token for the enterprise installation
const authentication = await auth({
type: "installation",
installationId: enterpriseInstallation.id,
permissions,
});
const installationId = enterpriseInstallation.id;
const appSlug = enterpriseInstallation["app_slug"];
return { authentication, installationId, appSlug };
}
+24 -29
View File
@@ -1,41 +1,36 @@
import * as core from "@actions/core";
import core from "@actions/core";
import { request } from "@octokit/request";
import { ProxyAgent, fetch as undiciFetch } from "undici";
// Get the GitHub API URL from the action input and remove any trailing slash
const baseUrl = core.getInput("github-api-url").replace(/\/$/, "");
// https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners
const proxyUrl =
process.env.https_proxy ||
process.env.HTTPS_PROXY ||
process.env.http_proxy ||
process.env.HTTP_PROXY;
const proxyEnvironmentKeys = [
"https_proxy",
"HTTPS_PROXY",
"http_proxy",
"HTTP_PROXY",
];
/* c8 ignore start */
// Native support for proxies in Undici is under consideration: https://github.com/nodejs/undici/issues/1650
// Until then, we need to use a custom fetch function to add proxy support.
const proxyFetch = (url, options) => {
const urlHost = new URL(url).hostname;
const noProxy = (process.env.no_proxy || process.env.NO_PROXY || "").split(
",",
);
function proxyEnvironmentConfigured() {
return proxyEnvironmentKeys.some((key) => process.env[key]);
}
if (!noProxy.includes(urlHost)) {
options = {
...options,
dispatcher: new ProxyAgent(String(proxyUrl)),
};
function nativeProxySupportEnabled() {
return process.env.NODE_USE_ENV_PROXY === "1";
}
export function ensureNativeProxySupport() {
if (!proxyEnvironmentConfigured() || nativeProxySupportEnabled()) {
return;
}
return undiciFetch(url, options);
};
/* c8 ignore stop */
throw new Error(
"A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.",
);
}
// Configure the default settings for GitHub API requests
export default request.defaults({
headers: {
"user-agent": "actions/create-github-app-token",
},
headers: { "user-agent": "actions/create-github-app-token" },
baseUrl,
/* c8 ignore next */
request: proxyUrl ? { fetch: proxyFetch } : {},
});
+31 -30
View File
@@ -1,11 +1,11 @@
// @ts-check
import * as core from "@actions/core";
import core from "@actions/core";
import { createAppAuth } from "@octokit/auth-app";
import { getPermissionsFromInputs } from "./lib/get-permissions-from-inputs.js";
import { main } from "./lib/main.js";
import request from "./lib/request.js";
import request, { ensureNativeProxySupport } from "./lib/request.js";
if (!process.env.GITHUB_REPOSITORY) {
throw new Error("GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'");
@@ -15,37 +15,38 @@ if (!process.env.GITHUB_REPOSITORY_OWNER) {
throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
}
const appId = core.getInput("app-id");
const privateKey = core.getInput("private-key");
const enterpriseSlug = core.getInput("enterprise-slug");
const owner = core.getInput("owner");
const repositories = core
.getInput("repositories")
.split(/[\n,]+/)
.map((s) => s.trim())
.filter((x) => x !== "");
async function run() {
ensureNativeProxySupport();
const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
const appId = core.getInput("app-id");
const privateKey = core.getInput("private-key");
const owner = core.getInput("owner");
const repositories = core
.getInput("repositories")
.split(/[\n,]+/)
.map((s) => s.trim())
.filter((x) => x !== "");
const permissions = getPermissionsFromInputs(process.env);
const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
const permissions = getPermissionsFromInputs(process.env);
return main(
appId,
privateKey,
owner,
repositories,
permissions,
core,
createAppAuth,
request,
skipTokenRevoke,
);
}
// Export promise for testing
export default main(
appId,
privateKey,
enterpriseSlug,
owner,
repositories,
permissions,
core,
createAppAuth,
request,
skipTokenRevoke,
).catch((error) => {
/* c8 ignore next 5 */
export default run().catch((error) => {
/* c8 ignore next 3 */
console.error(error);
// Don't set failed in test mode (when GITHUB_OUTPUT is undefined)
if (process.env.GITHUB_OUTPUT !== undefined) {
core.setFailed(error.message);
}
core.setFailed(error.message);
});
+804 -560
View File
File diff suppressed because it is too large Load Diff
+14 -16
View File
@@ -2,36 +2,35 @@
"name": "create-github-app-token",
"private": true,
"type": "module",
"version": "2.2.2",
"version": "3.0.0-beta.3",
"description": "GitHub Action for creating a GitHub App Installation Access Token",
"engines": {
"node": ">=20"
"node": ">=24.4.0"
},
"packageManager": "npm@10.9.4",
"scripts": {
"build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0 --packages=bundle",
"build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --packages=bundle",
"test": "c8 --100 ava tests/index.js",
"coverage": "c8 report --reporter html",
"postcoverage": "open-cli coverage/index.html"
},
"license": "MIT",
"dependencies": {
"@actions/core": "^3.0.0",
"@octokit/auth-app": "^8.2.0",
"@octokit/request": "^10.0.8",
"p-retry": "^7.1.1",
"undici": "^7.24.1"
"@actions/core": "^1.11.1",
"@octokit/auth-app": "^7.2.1",
"@octokit/request": "^9.2.2",
"p-retry": "^6.2.1"
},
"devDependencies": {
"@octokit/openapi": "^21.0.0",
"@sinonjs/fake-timers": "^15.1.0",
"@octokit/openapi": "^19.1.0",
"@sinonjs/fake-timers": "^14.0.0",
"ava": "^6.4.1",
"c8": "^10.1.3",
"dotenv": "^17.3.1",
"esbuild": "^0.27.3",
"execa": "^9.6.1",
"dotenv": "^17.2.1",
"esbuild": "^0.25.8",
"execa": "^9.6.0",
"open-cli": "^8.0.0",
"yaml": "^2.8.2"
"undici": "^7.13.0",
"yaml": "^2.8.1"
},
"release": {
"branches": [
@@ -47,7 +46,6 @@
"@semantic-release/release-notes-generator",
"@semantic-release/github",
"@semantic-release/npm",
"semantic-release-plugin-github-breaking-version-tag",
[
"@semantic-release/git",
{
+9 -3
View File
@@ -1,11 +1,17 @@
// @ts-check
import * as core from "@actions/core";
import core from "@actions/core";
import { post } from "./lib/post.js";
import request from "./lib/request.js";
import request, { ensureNativeProxySupport } from "./lib/request.js";
post(core, request).catch((error) => {
async function run() {
ensureNativeProxySupport();
return post(core, request);
}
run().catch((error) => {
/* c8 ignore next 3 */
console.error(error);
core.setFailed(error.message);
+1 -18
View File
@@ -187,14 +187,6 @@
"write"
]
},
"custom_properties_for_organizations": {
"type": "string",
"description": "The level of permission to grant the access token to view and edit custom properties for an organization, when allowed by the property.",
"enum": [
"read",
"write"
]
},
"members": {
"type": "string",
"description": "The level of permission to grant the access token for organization teams and members.",
@@ -229,7 +221,7 @@
},
"organization_custom_properties": {
"type": "string",
"description": "The level of permission to grant the access token for repository custom properties management at the organization level.",
"description": "The level of permission to grant the access token for custom property management.",
"enum": [
"read",
"write",
@@ -392,15 +384,6 @@
"read",
"write"
]
},
"enterprise_custom_properties_for_organizations": {
"type": "string",
"description": "The level of permission to grant the access token for organization custom properties management at the enterprise level.",
"enum": [
"read",
"write",
"admin"
]
}
},
"example": {
+8
View File
@@ -21,6 +21,14 @@ for (const file of testFiles) {
const env = {
GITHUB_OUTPUT: undefined,
GITHUB_STATE: undefined,
HTTP_PROXY: undefined,
HTTPS_PROXY: undefined,
http_proxy: undefined,
https_proxy: undefined,
NO_PROXY: undefined,
no_proxy: undefined,
NODE_OPTIONS: undefined,
NODE_USE_ENV_PROXY: undefined,
};
const { stderr, stdout } = await execa("node", [`tests/${file}`], { env });
t.snapshot(stderr, "stderr");
@@ -1,40 +0,0 @@
import { test } from "./main.js";
// Verify `main` handles when no enterprise installation is found.
await test((mockPool) => {
delete process.env.INPUT_OWNER;
delete process.env.INPUT_REPOSITORIES;
process.env["INPUT_ENTERPRISE-SLUG"] = "test-enterprise";
// Mock the /app/installations endpoint to return only non-enterprise installations
mockPool
.intercept({
path: "/app/installations",
method: "GET",
headers: {
accept: "application/vnd.github.v3+json",
"user-agent": "actions/create-github-app-token",
// Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
},
})
.reply(
200,
[
{
id: "111111",
app_slug: "github-actions",
target_type: "Organization",
account: { login: "some-org" }
},
{
id: "222222",
app_slug: "github-actions",
target_type: "User",
account: { login: "some-user" }
}
],
{ headers: { "content-type": "application/json" } }
);
});
@@ -1,16 +0,0 @@
import { DEFAULT_ENV } from "./main.js";
// Verify `main` exits with an error when `enterprise-slug` is used with both `owner` and `repositories` inputs.
try {
// Set up environment with enterprise-slug, owner, and repositories all set
for (const [key, value] of Object.entries(DEFAULT_ENV)) {
process.env[key] = value;
}
process.env["INPUT_ENTERPRISE-SLUG"] = "test-enterprise";
process.env.INPUT_OWNER = "test-owner";
process.env.INPUT_REPOSITORIES = "repo1,repo2";
await import("../main.js");
} catch (error) {
console.error(error.message);
}
@@ -1,15 +0,0 @@
import { DEFAULT_ENV } from "./main.js";
// Verify `main` exits with an error when `enterprise-slug` is used with `owner` input.
try {
// Set up environment with enterprise-slug and owner set
for (const [key, value] of Object.entries(DEFAULT_ENV)) {
process.env[key] = value;
}
process.env["INPUT_ENTERPRISE-SLUG"] = "test-enterprise";
process.env.INPUT_OWNER = "test-owner";
await import("../main.js");
} catch (error) {
console.error(error.message);
}
@@ -1,15 +0,0 @@
import { DEFAULT_ENV } from "./main.js";
// Verify `main` exits with an error when `enterprise-slug` is used with `repositories` input.
try {
// Set up environment with enterprise-slug and repositories set
for (const [key, value] of Object.entries(DEFAULT_ENV)) {
process.env[key] = value;
}
process.env["INPUT_ENTERPRISE-SLUG"] = "test-enterprise";
process.env.INPUT_REPOSITORIES = "repo1,repo2";
await import("../main.js");
} catch (error) {
console.error(error.message);
}
@@ -1,34 +0,0 @@
import { test } from "./main.js";
// Verify `main` successfully obtains a token when only the `enterprise-slug` input is set.
await test((mockPool) => {
process.env["INPUT_ENTERPRISE-SLUG"] = "test-enterprise";
delete process.env.INPUT_OWNER;
delete process.env.INPUT_REPOSITORIES;
// Mock the /app/installations endpoint to return an enterprise installation
const mockInstallationId = "123456";
const mockAppSlug = "github-actions";
mockPool
.intercept({
path: "/app/installations",
method: "GET",
headers: {
accept: "application/vnd.github.v3+json",
"user-agent": "actions/create-github-app-token",
// Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
},
})
.reply(
200,
[
{
id: mockInstallationId,
app_slug: mockAppSlug,
target_type: "Enterprise",
account: { login: "test-enterprise", slug: "test-enterprise" }
}
],
{ headers: { "content-type": "application/json" } }
);
});
@@ -1,34 +0,0 @@
import { test } from "./main.js";
// Verify `main` successfully generates enterprise token with basic functionality.
await test((mockPool) => {
process.env["INPUT_ENTERPRISE-SLUG"] = "test-enterprise";
delete process.env.INPUT_OWNER;
delete process.env.INPUT_REPOSITORIES;
// Mock the /app/installations endpoint to return an enterprise installation
const mockInstallationId = "123456";
const mockAppSlug = "github-actions";
mockPool
.intercept({
path: "/app/installations",
method: "GET",
headers: {
accept: "application/vnd.github.v3+json",
"user-agent": "actions/create-github-app-token",
// Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
},
})
.reply(
200,
[
{
id: mockInstallationId,
app_slug: mockAppSlug,
target_type: "Enterprise",
account: { login: "test-enterprise", slug: "test-enterprise" }
}
],
{ headers: { "content-type": "application/json" } }
);
});
@@ -1,36 +0,0 @@
import { test } from "./main.js";
// Verify `main` successfully generates enterprise token with specific permissions.
await test((mockPool) => {
process.env["INPUT_ENTERPRISE-SLUG"] = "test-enterprise";
delete process.env.INPUT_OWNER;
delete process.env.INPUT_REPOSITORIES;
process.env["INPUT_PERMISSION-ENTERPRISE-ORGANIZATIONS"] = "read";
process.env["INPUT_PERMISSION-ENTERPRISE-PEOPLE"] = "write";
// Mock the /app/installations endpoint to return an enterprise installation
const mockInstallationId = "123456";
const mockAppSlug = "github-actions";
mockPool
.intercept({
path: "/app/installations",
method: "GET",
headers: {
accept: "application/vnd.github.v3+json",
"user-agent": "actions/create-github-app-token",
// Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
},
})
.reply(
200,
[
{
id: mockInstallationId,
app_slug: mockAppSlug,
target_type: "Enterprise",
account: { login: "test-enterprise", slug: "test-enterprise" }
}
],
{ headers: { "content-type": "application/json" } }
);
});
@@ -0,0 +1,14 @@
process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
process.env.GITHUB_REPOSITORY_OWNER = "actions";
process.env.HTTPS_PROXY = "http://127.0.0.1:3128";
const originalConsoleError = console.error;
console.error = (...args) => {
originalConsoleError(
...args.map((arg) => (arg instanceof Error ? arg.message : arg)),
);
};
await import("../main.js");
await new Promise((resolve) => setImmediate(resolve));
process.exitCode = 0;
@@ -0,0 +1,13 @@
process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
process.env.HTTPS_PROXY = "http://127.0.0.1:3128";
const originalConsoleError = console.error;
console.error = (...args) => {
originalConsoleError(
...args.map((arg) => (arg instanceof Error ? arg.message : arg)),
);
};
await import("../post.js");
await new Promise((resolve) => setImmediate(resolve));
process.exitCode = 0;
+20 -133
View File
@@ -39,139 +39,6 @@ Generated by [AVA](https://avajs.dev).
POST /api/v3/app/installations/123456/access_tokens␊
{"repositories":["create-github-app-token"]}`
## main-enterprise-installation-not-found.test.js
> stderr
`Error: No enterprise installation found matching the name test-enterprise. Available installations: Organization:some-org, User:some-user␊
at getTokenFromEnterprise (file:///Users/parkerbxyz/.copilot/worktrees/create-github-app-token/pr-263/lib/main.js:230:11)␊
at process.processTicksAndRejections (node:internal/process/task_queues:104:5)␊
at async pRetry (file:///Users/parkerbxyz/.copilot/worktrees/create-github-app-token/pr-263/node_modules/p-retry/index.js:197:19)␊
at async main (file:///Users/parkerbxyz/.copilot/worktrees/create-github-app-token/pr-263/lib/main.js:95:52)␊
at async test (file:///Users/parkerbxyz/.copilot/worktrees/create-github-app-token/pr-263/tests/main.js:111:3)␊
at async file:///Users/parkerbxyz/.copilot/worktrees/create-github-app-token/pr-263/tests/main-enterprise-installation-not-found.test.js:5:1`
> stdout
`Creating enterprise installation token for enterprise "test-enterprise".␊
Failed to create token for enterprise "test-enterprise" (attempt 1): undefined␊
--- REQUESTS ---␊
GET /app/installations`
## main-enterprise-mutual-exclusivity-both.test.js
> stderr
`Error: Cannot use 'enterprise-slug' input with 'owner' or 'repositories' inputs␊
at main (file:///Users/parkerbxyz/.copilot/worktrees/create-github-app-token/pr-263/lib/main.js:31:11)␊
at file:///Users/parkerbxyz/.copilot/worktrees/create-github-app-token/pr-263/main.js:33:16␊
at ModuleJob.run (node:internal/modules/esm/module_job:430:25)␊
at async onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:639:26)␊
at async file:///Users/parkerbxyz/.copilot/worktrees/create-github-app-token/pr-263/tests/main-enterprise-mutual-exclusivity-both.test.js:13:3`
> stdout
''
## main-enterprise-mutual-exclusivity-owner.test.js
> stderr
`Error: Cannot use 'enterprise-slug' input with 'owner' or 'repositories' inputs␊
at main (file:///Users/parkerbxyz/.copilot/worktrees/create-github-app-token/pr-263/lib/main.js:31:11)␊
at file:///Users/parkerbxyz/.copilot/worktrees/create-github-app-token/pr-263/main.js:33:16␊
at ModuleJob.run (node:internal/modules/esm/module_job:430:25)␊
at async onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:639:26)␊
at async file:///Users/parkerbxyz/.copilot/worktrees/create-github-app-token/pr-263/tests/main-enterprise-mutual-exclusivity-owner.test.js:12:3`
> stdout
''
## main-enterprise-mutual-exclusivity-repositories.test.js
> stderr
`Error: Cannot use 'enterprise-slug' input with 'owner' or 'repositories' inputs␊
at main (file:///Users/parkerbxyz/.copilot/worktrees/create-github-app-token/pr-263/lib/main.js:31:11)␊
at file:///Users/parkerbxyz/.copilot/worktrees/create-github-app-token/pr-263/main.js:33:16␊
at ModuleJob.run (node:internal/modules/esm/module_job:430:25)␊
at async onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:639:26)␊
at async file:///Users/parkerbxyz/.copilot/worktrees/create-github-app-token/pr-263/tests/main-enterprise-mutual-exclusivity-repositories.test.js:12:3`
> stdout
''
## main-enterprise-only-success.test.js
> stderr
''
> stdout
`Creating enterprise installation token for enterprise "test-enterprise".␊
::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
::set-output name=installation-id::123456␊
::set-output name=app-slug::github-actions␊
::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
::save-state name=expiresAt::2016-07-11T22:14:10Z␊
--- REQUESTS ---␊
GET /app/installations␊
POST /app/installations/123456/access_tokens␊
null`
## main-enterprise-token-success.test.js
> stderr
''
> stdout
`Creating enterprise installation token for enterprise "test-enterprise".␊
::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
::set-output name=installation-id::123456␊
::set-output name=app-slug::github-actions␊
::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
::save-state name=expiresAt::2016-07-11T22:14:10Z␊
--- REQUESTS ---␊
GET /app/installations␊
POST /app/installations/123456/access_tokens␊
null`
## main-enterprise-token-with-permissions.test.js
> stderr
''
> stdout
`Creating enterprise installation token for enterprise "test-enterprise".␊
::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
::set-output name=installation-id::123456␊
::set-output name=app-slug::github-actions␊
::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
::save-state name=expiresAt::2016-07-11T22:14:10Z␊
--- REQUESTS ---␊
GET /app/installations␊
POST /app/installations/123456/access_tokens␊
{"permissions":{"enterprise_organizations":"read","enterprise_people":"write"}}`
## main-missing-owner.test.js
> stderr
@@ -215,6 +82,16 @@ Generated by [AVA](https://avajs.dev).
POST /app/installations/123456/access_tokens␊
{"repositories":["create-github-app-token"]}`
## main-proxy-requires-native-support.test.js
> stderr
'A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.'
> stdout
'::error::A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.'
## main-repo-skew.test.js
> stderr
@@ -466,6 +343,16 @@ Generated by [AVA](https://avajs.dev).
POST /app/installations/123456/access_tokens␊
{"repositories":["create-github-app-token"],"permissions":{"issues":"write","pull_requests":"read"}}`
## post-proxy-requires-native-support.test.js
> stderr
'A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.'
> stdout
'::error::A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.'
## post-revoke-token-fail-response.test.js
> stderr
Binary file not shown.