chore: remove upstream CI workflows (mirror inertization per internal#233)

Bumps the development-dependencies group with 1 update:
[yaml](https://github.com/eemeli/yaml).

Updates `yaml` from 2.8.3 to 2.8.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/eemeli/yaml/releases">yaml's
releases</a>.</em></p>
<blockquote>
<h2>v2.8.4</h2>
<ul>
<li>Disable alias resolution with <code>maxAliasCount:0</code> (<a
href="https://redirect.github.com/eemeli/yaml/issues/677">#677</a>)</li>
<li>Handle invalid unicode escapes (e1a1a77)</li>
<li>Apply <code>minFractionDigits</code> only to decimal strings (<a
href="https://redirect.github.com/eemeli/yaml/issues/676">#676</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/eemeli/yaml/commit/ccdf7439587544f64223429498a1d9ec514eaac1"><code>ccdf743</code></a>
2.8.4</li>
<li><a
href="https://github.com/eemeli/yaml/commit/f625789dbd971c936ff66fe5c49e368062ae7b41"><code>f625789</code></a>
fix: Disable alias resolution with maxAliasCount:0 (<a
href="https://redirect.github.com/eemeli/yaml/issues/677">#677</a>)</li>
<li><a
href="https://github.com/eemeli/yaml/commit/e1a1a7735ff2e9717b87af36795bcd280f85f55d"><code>e1a1a77</code></a>
fix: Handle invalid unicode escapes</li>
<li><a
href="https://github.com/eemeli/yaml/commit/a163ea009c57ab9f1054ca39b24b6ef4c1e9fdbe"><code>a163ea0</code></a>
style: Satify Prettier</li>
<li><a
href="https://github.com/eemeli/yaml/commit/b2a5a6c615673056917aaa04d657802945e81425"><code>b2a5a6c</code></a>
fix: Apply minFractionDigits only to decimal strings (<a
href="https://redirect.github.com/eemeli/yaml/issues/676">#676</a>)</li>
<li><a
href="https://github.com/eemeli/yaml/commit/93c951b3478b4bb061d7b5227fd64f46d3f9df7f"><code>93c951b</code></a>
chore: Bump JSR version to v2.8.3 (<a
href="https://redirect.github.com/eemeli/yaml/issues/673">#673</a>)</li>
<li><a
href="https://github.com/eemeli/yaml/commit/0f226a3f9dfe31dca0b165e0601d233d9a642527"><code>0f226a3</code></a>
docs: Add trailingComma ToString option</li>
<li>See full diff in <a
href="https://github.com/eemeli/yaml/compare/v2.8.3...v2.8.4">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=yaml&package-manager=npm_and_yarn&previous-version=2.8.3&new-version=2.8.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/release.yml

@@ -1,40 +0,0 @@
-name: release
-
-on:
-  push:
-    branches:
-      - "*.x"
-      - main
-      - beta
-
-permissions:
-  contents: write
-  issues: write
-  pull-requests: write
-
-jobs:
-  release:
-    name: release
-    runs-on: ubuntu-latest
-    steps:
-      # build local version to create token
-      - uses: actions/checkout@v6
-        with:
-          persist-credentials: false
-
-      - uses: actions/setup-node@v6
-        with:
-          node-version-file: package.json
-
-      - run: npm ci
-      - run: npm run build
-      - uses: ./
-        id: app-token
-        with:
-          app-id: ${{ vars.RELEASER_APP_ID }}
-          private-key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }}
-      # install release dependencies and release
-      - run: npm install --no-save @semantic-release/git semantic-release-plugin-github-breaking-version-tag
-      - run: npx semantic-release --debug
-        env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/stale.yml

@@ -1,34 +0,0 @@
-# This workflow warns and then closes issues that have had no activity for a specified amount of time.
-# https://github.com/actions/stale
-
-name: Stale
-
-on:
-  workflow_dispatch:
-  schedule:
-    # 00:00 UTC on Mondays
-    - cron: '0 0 * * 1'
-
-permissions:
-  issues: write
-  pull-requests: write
-
-env:
-  DAYS_BEFORE_STALE: 180
-  DAYS_BEFORE_CLOSE: 60
-  STALE_LABEL: 'stale'
-  STALE_LABEL_URL: ${{github.server_url}}/${{github.repository}}/labels/stale
-
-jobs:
-  stale:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/stale@v10
-        with:
-          operations-per-run: 100
-          days-before-stale: ${{ env.DAYS_BEFORE_STALE }}
-          days-before-close: ${{ env.DAYS_BEFORE_CLOSE }}
-          stale-issue-label: ${{ env.STALE_LABEL }}
-          stale-pr-label: ${{ env.STALE_LABEL }}
-          stale-issue-message: 'This issue has been marked ${{ env.STALE_LABEL_URL }} because it has been open for ${{ env.DAYS_BEFORE_STALE }} days with no activity. Please close this issue if it is no longer needed. If this issue is still relevant and you would like it to remain open, simply update it within the next ${{ env.DAYS_BEFORE_CLOSE }} days.'
-          stale-pr-message: 'This pull request has been marked ${{ env.STALE_LABEL_URL }} because it has been open for ${{ env.DAYS_BEFORE_STALE }} days with no activity. Please close this pull request if it is no longer needed. If this pull request is still relevant and you would like it to remain open, simply update it within the next ${{ env.DAYS_BEFORE_CLOSE }} days.'

.github/workflows/test.yml

@@ -1,81 +0,0 @@
-name: test
-
-on:
-  push:
-    branches:
-      - main
-      - beta
-  pull_request:
-  merge_group:
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions:
-  contents: read
-
-jobs:
-  integration:
-    name: integration
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-
-      - uses: actions/setup-node@v6
-        with:
-          node-version-file: package.json
-
-      - run: npm ci
-      - run: npm test
-
-  end-to-end:
-    name: end-to-end
-    runs-on: ubuntu-latest
-    # do not run from forks, as forks don’t have access to repository secrets
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
-        with:
-          node-version-file: package.json
-      - run: npm ci
-      - run: npm run build
-      - uses: ./ # Uses the action in the root directory
-        id: test
-        with:
-          app-id: ${{ vars.TEST_APP_ID }}
-          private-key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
-      - uses: octokit/request-action@v2.x
-        id: get-repository
-        env:
-          GITHUB_TOKEN: ${{ steps.test.outputs.token }}
-        with:
-          route: GET /installation/repositories
-      - run: echo '${{ steps.get-repository.outputs.data }}'
-
-  end-to-end-proxy:
-    name: end-to-end with unreachable proxy
-    runs-on: ubuntu-latest
-    # do not run from forks, as forks don’t have access to repository secrets
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
-        with:
-          node-version-file: package.json
-          cache: 'npm'
-      - run: npm ci
-      - run: npm run build
-      - uses: ./ # Uses the action in the root directory
-        continue-on-error: true
-        id: test
-        env:
-          NODE_USE_ENV_PROXY: "1"
-          https_proxy: http://127.0.0.1:9
-        with:
-          app-id: ${{ vars.TEST_APP_ID }}
-          private-key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
-      - name: Assert action failed through unreachable proxy
-        run: test "${{ steps.test.outcome }}" = "failure"

.github/workflows/update-permission-inputs.yml

@@ -1,42 +0,0 @@
-name: Update Permission Inputs
-
-on:
-  pull_request:
-    paths:
-      - 'package.json'
-      - 'package-lock.json'
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  update-permission-inputs:
-    runs-on: ubuntu-latest
-    env:
-      COMMIT_MESSAGE: 'feat: update permission inputs'
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
-        with:
-          node-version-file: package.json
-      - name: Install dependencies
-        run: npm ci
-      - name: Run permission inputs update script
-        run: node scripts/update-permission-inputs.js
-      - name: Commit changes
-        id: auto-commit
-        uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
-        with:
-          commit_message: ${{ env.COMMIT_MESSAGE }}
-      - name: Update PR title
-        if: github.event_name == 'pull_request' && steps.auto-commit.outputs.changes_detected == 'true'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh pr edit ${{ github.event.pull_request.number }} --title "${{ env.COMMIT_MESSAGE }}"

.gitignore

@@ -1,3 +1,4 @@
 .env
 coverage
 node_modules/
+.DS_Store

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "3.1.1"
+}

README.md

@@ -195,10 +195,32 @@ jobs:
           body: "Hello, World!"
 ```
 
+### Create a token for an enterprise installation
+
+```yaml
+on: [workflow_dispatch]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          enterprise: my-enterprise-slug
+      - name: Call enterprise management REST API with gh
+        run: |
+          gh api /enterprises/my-enterprise-slug/apps/installable_organizations
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+```
+
 ### Create a token with specific permissions
 
 > [!NOTE]
-> Selected permissions must be granted to the installation of the specified app and repository owner. Setting a permission that the installation does not have will result in an error.
+> Selected permissions must be granted to the specified app installation. Setting a permission that the installation does not have will result in an error.
 
 ```yaml
 on: [issues]
@@ -356,6 +378,13 @@ steps:
 > [!NOTE]
 > If `owner` is set and `repositories` is empty, access will be scoped to all repositories in the provided repository owner's installation. If `owner` and `repositories` are empty, access will be scoped to only the current repository.
 
+### `enterprise`
+
+**Optional:** The slug of the enterprise account to generate a token for an enterprise installation.
+
+> [!NOTE]
+> The `enterprise` input is mutually exclusive with `owner` and `repositories`. Use it when the GitHub App is installed on an enterprise account. Enterprise installation tokens can call enterprise APIs, but do not grant organization or repository access.
+
 ### `permission-<permission name>`
 
 **Optional:** The permissions to grant to the token. By default, the token inherits all of the installation's permissions. We recommend to explicitly list the permissions that are required for a use case. This follows GitHub's own recommendation to [control permissions of `GITHUB_TOKEN` in workflows](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token). The documentation also lists all available permissions, just prefix the permission key with `permission-` (e.g., `pull-requests` → `permission-pull-requests`).
@@ -386,13 +415,14 @@ GitHub App slug.
 
 ## How it works
 
-The action creates an installation access token using [the `POST /app/installations/{installation_id}/access_tokens` endpoint](https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app). By default,
+The action creates an installation access token using [the `POST /app/installations/{installation_id}/access_tokens` endpoint](https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app).
 
-1. The token is scoped to the current repository or `repositories` if set.
-2. The token inherits all the installation's permissions.
-3. The token is set as output `token` which can be used in subsequent steps.
-4. Unless the `skip-token-revoke` input is set to true, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
-5. The token is masked, it cannot be logged accidentally.
+The token target depends on the inputs: `enterprise` creates a token for an enterprise installation, `owner` without `repositories` creates a token for all repositories in the owner's installation, `repositories` scopes the token to those repositories, and no target inputs scopes the token to the current repository.
+
+1. The token inherits all the installation's permissions.
+2. The token is set as output `token` which can be used in subsequent steps.
+3. Unless the `skip-token-revoke` input is set to true, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
+4. The token is masked, it cannot be logged accidentally.
 
 > [!NOTE]
 > Installation permissions can differ from the app's permissions they belong to. Installation permissions are set when an app is installed on an account. When the app adds more permissions after the installation, an account administrator will have to approve the new permissions before they are set on the installation.

action.yml

@@ -21,6 +21,9 @@ inputs:
   repositories:
     description: "Comma or newline-separated list of repositories to install the GitHub App on (defaults to current repository if owner is unset)"
     required: false
+  enterprise:
+    description: "The slug of the enterprise account where the GitHub App is installed (cannot be used with 'owner' or 'repositories')"
+    required: false
   skip-token-revoke:
     description: "If true, the token will not be revoked when the current job is complete"
     required: false

dist/main.cjs

@@ -22985,7 +22985,7 @@ function isNetworkError(error2) {
     return false;
   }
   const { message, stack } = error2;
-  if (message === "Load failed") {
+  if (message === "Load failed" || message.startsWith("Load failed (") && message.endsWith(")")) {
     return stack === void 0 || "__sentry_captured__" in error2;
   }
   if (message.startsWith("error sending request for url")) {
@@ -23196,80 +23196,20 @@ async function pRetry(input, options = {}) {
 }
 
 // lib/main.js
-async function main(clientId, privateKey, owner, repositories, permissions, core, createAppAuth2, request2, skipTokenRevoke) {
-  let parsedOwner = "";
-  let parsedRepositoryNames = [];
-  if (!owner && repositories.length === 0) {
-    const [owner2, repo] = String(process.env.GITHUB_REPOSITORY).split("/");
-    parsedOwner = owner2;
-    parsedRepositoryNames = [repo];
-    core.info(
-      `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (${owner2}/${repo}).`
-    );
-  }
-  if (owner && repositories.length === 0) {
-    parsedOwner = owner;
-    core.info(
-      `Input 'repositories' is not set. Creating token for all repositories owned by ${owner}.`
-    );
-  }
-  if (!owner && repositories.length > 0) {
-    parsedOwner = String(process.env.GITHUB_REPOSITORY_OWNER);
-    parsedRepositoryNames = repositories;
-    core.info(
-      `No 'owner' input provided. Using default owner '${parsedOwner}' to create token for the following repositories:${repositories.map((repo) => `
-- ${parsedOwner}/${repo}`).join("")}`
-    );
-  }
-  if (owner && repositories.length > 0) {
-    parsedOwner = owner;
-    parsedRepositoryNames = repositories;
-    core.info(
-      `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
-      ${repositories.map((repo) => `
-- ${parsedOwner}/${repo}`).join("")}`
-    );
+async function main(clientId, privateKey, enterprise, owner, repositories, permissions, core, createAppAuth2, request2, skipTokenRevoke) {
+  if (enterprise && (owner || repositories.length > 0)) {
+    throw new Error("Cannot use 'enterprise' input with 'owner' or 'repositories' inputs");
   }
+  const target = resolveInstallationTarget(enterprise, owner, repositories, core);
   const auth5 = createAppAuth2({
     appId: clientId,
     privateKey,
     request: request2
   });
-  let authentication, installationId, appSlug;
-  if (parsedRepositoryNames.length > 0) {
-    ({ authentication, installationId, appSlug } = await pRetry(
-      () => getTokenFromRepository(
-        request2,
-        auth5,
-        parsedOwner,
-        parsedRepositoryNames,
-        permissions
-      ),
-      {
-        shouldRetry: ({ error: error2 }) => error2.status >= 500,
-        onFailedAttempt: (context) => {
-          core.info(
-            `Failed to create token for "${parsedRepositoryNames.join(
-              ","
-            )}" (attempt ${context.attemptNumber}): ${context.error.message}`
-          );
-        },
-        retries: 3
-      }
-    ));
-  } else {
-    ({ authentication, installationId, appSlug } = await pRetry(
-      () => getTokenFromOwner(request2, auth5, parsedOwner, permissions),
-      {
-        onFailedAttempt: (context) => {
-          core.info(
-            `Failed to create token for "${parsedOwner}" (attempt ${context.attemptNumber}): ${context.error.message}`
-          );
-        },
-        retries: 3
-      }
-    ));
-  }
+  const { authentication, installationId, appSlug } = await pRetry(
+    () => getTokenFromTarget(request2, auth5, target, permissions),
+    createTokenRetryOptions(core, getTokenRetryDescription(target))
+  );
   core.setSecret(authentication.token);
   core.setOutput("token", authentication.token);
   core.setOutput("installation-id", installationId);
@@ -23279,6 +23219,102 @@ async function main(clientId, privateKey, owner, repositories, permissions, core
     core.saveState("expiresAt", authentication.expiresAt);
   }
 }
+function resolveInstallationTarget(enterprise, owner, repositories, core) {
+  if (enterprise) {
+    core.info(`Creating enterprise installation token for enterprise "${enterprise}".`);
+    return { type: "enterprise", enterprise };
+  }
+  if (!owner && repositories.length === 0) {
+    const [defaultOwner, repo] = String(process.env.GITHUB_REPOSITORY).split("/");
+    core.info(
+      `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (${defaultOwner}/${repo}).`
+    );
+    return {
+      type: "repository",
+      owner: defaultOwner,
+      repositories: [repo]
+    };
+  }
+  if (owner && repositories.length === 0) {
+    core.info(
+      `Input 'repositories' is not set. Creating token for all repositories owned by ${owner}.`
+    );
+    return { type: "owner", owner };
+  }
+  const parsedOwner = owner || String(process.env.GITHUB_REPOSITORY_OWNER);
+  if (!owner) {
+    core.info(
+      `No 'owner' input provided. Using default owner '${parsedOwner}' to create token for the following repositories:${repositories.map((repo) => `
+- ${parsedOwner}/${repo}`).join("")}`
+    );
+  } else {
+    core.info(
+      `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:${repositories.map((repo) => `
+- ${parsedOwner}/${repo}`).join("")}`
+    );
+  }
+  return {
+    type: "repository",
+    owner: parsedOwner,
+    repositories
+  };
+}
+function getTokenRetryDescription(target) {
+  switch (target.type) {
+    case "enterprise":
+      return `enterprise "${target.enterprise}"`;
+    case "repository":
+      return `"${target.repositories.map((repository) => `${target.owner}/${repository}`).join(",")}"`;
+    case "owner":
+      return `"${target.owner}"`;
+    /* c8 ignore next 2 */
+    default:
+      throw new Error(`Unsupported installation target type: ${target.type}`);
+  }
+}
+function getTokenFromTarget(request2, auth5, target, permissions) {
+  switch (target.type) {
+    case "enterprise":
+      return getTokenFromEnterprise(request2, auth5, target.enterprise, permissions);
+    case "repository":
+      return getTokenFromRepository(
+        request2,
+        auth5,
+        target.owner,
+        target.repositories,
+        permissions
+      );
+    case "owner":
+      return getTokenFromOwner(request2, auth5, target.owner, permissions);
+    /* c8 ignore next 2 */
+    default:
+      throw new Error(`Unsupported installation target type: ${target.type}`);
+  }
+}
+function createTokenRetryOptions(core, targetDescription) {
+  return {
+    shouldRetry: ({ error: error2 }) => error2.status >= 500 || isNetworkError(error2),
+    onFailedAttempt: (context) => {
+      core.info(
+        `Failed to create token for ${targetDescription} (attempt ${context.attemptNumber}): ${context.error.message}`
+      );
+    },
+    retries: 3
+  };
+}
+async function createInstallationAuthResult(auth5, installation, permissions, options = {}) {
+  const authentication = await auth5({
+    type: "installation",
+    installationId: installation.id,
+    permissions,
+    ...options
+  });
+  return {
+    authentication,
+    installationId: installation.id,
+    appSlug: installation["app_slug"]
+  };
+}
 async function getTokenFromOwner(request2, auth5, parsedOwner, permissions) {
   const response = await request2("GET /users/{username}/installation", {
     username: parsedOwner,
@@ -23286,14 +23322,7 @@ async function getTokenFromOwner(request2, auth5, parsedOwner, permissions) {
       hook: auth5.hook
     }
   });
-  const authentication = await auth5({
-    type: "installation",
-    installationId: response.data.id,
-    permissions
-  });
-  const installationId = response.data.id;
-  const appSlug = response.data["app_slug"];
-  return { authentication, installationId, appSlug };
+  return createInstallationAuthResult(auth5, response.data, permissions);
 }
 async function getTokenFromRepository(request2, auth5, parsedOwner, parsedRepositoryNames, permissions) {
   const response = await request2("GET /repos/{owner}/{repo}/installation", {
@@ -23303,15 +23332,28 @@ async function getTokenFromRepository(request2, auth5, parsedOwner, parsedReposi
       hook: auth5.hook
     }
   });
-  const authentication = await auth5({
-    type: "installation",
-    installationId: response.data.id,
-    repositoryNames: parsedRepositoryNames,
-    permissions
+  return createInstallationAuthResult(auth5, response.data, permissions, {
+    repositoryNames: parsedRepositoryNames
   });
-  const installationId = response.data.id;
-  const appSlug = response.data["app_slug"];
-  return { authentication, installationId, appSlug };
+}
+async function getTokenFromEnterprise(request2, auth5, enterprise, permissions) {
+  let response;
+  try {
+    response = await request2("GET /enterprises/{enterprise}/installation", {
+      enterprise,
+      request: {
+        hook: auth5.hook
+      }
+    });
+  } catch (error2) {
+    if (error2.status === 404) {
+      throw new Error(
+        `No enterprise installation found matching the enterprise slug "${enterprise}".`
+      );
+    }
+    throw error2;
+  }
+  return createInstallationAuthResult(auth5, response.data, permissions);
 }
 
 // lib/request.js
@@ -23355,6 +23397,7 @@ async function run() {
     throw new Error("The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.");
   }
   const privateKey = getInput("private-key");
+  const enterprise = getInput("enterprise");
   const owner = getInput("owner");
   const repositories = getInput("repositories").split(/[\n,]+/).map((s) => s.trim()).filter((x) => x !== "");
   const skipTokenRevoke = getBooleanInput("skip-token-revoke");
@@ -23362,6 +23405,7 @@ async function run() {
   return main(
     clientId,
     privateKey,
+    enterprise,
     owner,
     repositories,
     permissions,

lib/main.js

@@ -1,9 +1,11 @@
 import pRetry from "p-retry";
+import isNetworkError from "is-network-error";
 // @ts-check
 
 /**
  * @param {string} clientId
  * @param {string} privateKey
+ * @param {string} enterprise
  * @param {string} owner
  * @param {string[]} repositories
  * @param {undefined | Record<string, string>} permissions
@@ -15,59 +17,21 @@ import pRetry from "p-retry";
 export async function main(
   clientId,
   privateKey,
+  enterprise,
   owner,
   repositories,
   permissions,
   core,
   createAppAuth,
   request,
-  skipTokenRevoke
+  skipTokenRevoke,
 ) {
-  let parsedOwner = "";
-  let parsedRepositoryNames = [];
-
-  // If neither owner nor repositories are set, default to current repository
-  if (!owner && repositories.length === 0) {
-    const [owner, repo] = String(process.env.GITHUB_REPOSITORY).split("/");
-    parsedOwner = owner;
-    parsedRepositoryNames = [repo];
-
-    core.info(
-      `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (${owner}/${repo}).`
-    );
+  // Validate mutual exclusivity of enterprise with owner/repositories
+  if (enterprise && (owner || repositories.length > 0)) {
+    throw new Error("Cannot use 'enterprise' input with 'owner' or 'repositories' inputs");
   }
 
-  // If only an owner is set, default to all repositories from that owner
-  if (owner && repositories.length === 0) {
-    parsedOwner = owner;
-
-    core.info(
-      `Input 'repositories' is not set. Creating token for all repositories owned by ${owner}.`
-    );
-  }
-
-  // If repositories are set, but no owner, default to `GITHUB_REPOSITORY_OWNER`
-  if (!owner && repositories.length > 0) {
-    parsedOwner = String(process.env.GITHUB_REPOSITORY_OWNER);
-    parsedRepositoryNames = repositories;
-
-    core.info(
-      `No 'owner' input provided. Using default owner '${parsedOwner}' to create token for the following repositories:${repositories
-        .map((repo) => `\n- ${parsedOwner}/${repo}`)
-        .join("")}`
-    );
-  }
-
-  // If both owner and repositories are set, use those values
-  if (owner && repositories.length > 0) {
-    parsedOwner = owner;
-    parsedRepositoryNames = repositories;
-
-    core.info(
-      `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
-      ${repositories.map((repo) => `\n- ${parsedOwner}/${repo}`).join("")}`
-    );
-  }
+  const target = resolveInstallationTarget(enterprise, owner, repositories, core);
 
   const auth = createAppAuth({
     appId: clientId,
@@ -75,45 +39,10 @@ export async function main(
     request,
   });
 
-  let authentication, installationId, appSlug;
-  // If at least one repository is set, get installation ID from that repository
-
-  if (parsedRepositoryNames.length > 0) {
-    ({ authentication, installationId, appSlug } = await pRetry(
-      () =>
-        getTokenFromRepository(
-          request,
-          auth,
-          parsedOwner,
-          parsedRepositoryNames,
-          permissions
-        ),
-      {
-        shouldRetry: ({ error }) => error.status >= 500,
-        onFailedAttempt: (context) => {
-          core.info(
-            `Failed to create token for "${parsedRepositoryNames.join(
-              ","
-            )}" (attempt ${context.attemptNumber}): ${context.error.message}`
-          );
-        },
-        retries: 3,
-      }
-    ));
-  } else {
-    // Otherwise get the installation for the owner, which can either be an organization or a user account
-    ({ authentication, installationId, appSlug } = await pRetry(
-      () => getTokenFromOwner(request, auth, parsedOwner, permissions),
-      {
-        onFailedAttempt: (context) => {
-          core.info(
-            `Failed to create token for "${parsedOwner}" (attempt ${context.attemptNumber}): ${context.error.message}`
-          );
-        },
-        retries: 3,
-      }
-    ));
-  }
+  const { authentication, installationId, appSlug } = await pRetry(
+    () => getTokenFromTarget(request, auth, target, permissions),
+    createTokenRetryOptions(core, getTokenRetryDescription(target))
+  );
 
   // Register the token with the runner as a secret to ensure it is masked in logs
   core.setSecret(authentication.token);
@@ -129,6 +58,125 @@ export async function main(
   }
 }
 
+function resolveInstallationTarget(enterprise, owner, repositories, core) {
+  if (enterprise) {
+    core.info(`Creating enterprise installation token for enterprise "${enterprise}".`);
+    return { type: "enterprise", enterprise };
+  }
+
+  if (!owner && repositories.length === 0) {
+    const [defaultOwner, repo] = String(process.env.GITHUB_REPOSITORY).split("/");
+
+    core.info(
+      `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (${defaultOwner}/${repo}).`
+    );
+
+    return {
+      type: "repository",
+      owner: defaultOwner,
+      repositories: [repo],
+    };
+  }
+
+  if (owner && repositories.length === 0) {
+    core.info(
+      `Input 'repositories' is not set. Creating token for all repositories owned by ${owner}.`
+    );
+
+    return { type: "owner", owner };
+  }
+
+  const parsedOwner = owner || String(process.env.GITHUB_REPOSITORY_OWNER);
+
+  if (!owner) {
+    core.info(
+      `No 'owner' input provided. Using default owner '${parsedOwner}' to create token for the following repositories:${repositories
+        .map((repo) => `\n- ${parsedOwner}/${repo}`)
+        .join("")}`
+    );
+  } else {
+    core.info(
+      `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:${repositories
+        .map((repo) => `\n- ${parsedOwner}/${repo}`)
+        .join("")}`
+    );
+  }
+
+  return {
+    type: "repository",
+    owner: parsedOwner,
+    repositories,
+  };
+}
+
+function getTokenRetryDescription(target) {
+  switch (target.type) {
+    case "enterprise":
+      return `enterprise "${target.enterprise}"`;
+    case "repository":
+      return `"${target.repositories
+        .map((repository) => `${target.owner}/${repository}`)
+        .join(",")}"`;
+    case "owner":
+      return `"${target.owner}"`;
+    /* c8 ignore next 2 */
+    default:
+      throw new Error(`Unsupported installation target type: ${target.type}`);
+  }
+}
+
+function getTokenFromTarget(request, auth, target, permissions) {
+  switch (target.type) {
+    case "enterprise":
+      return getTokenFromEnterprise(request, auth, target.enterprise, permissions);
+    case "repository":
+      return getTokenFromRepository(
+        request,
+        auth,
+        target.owner,
+        target.repositories,
+        permissions
+      );
+    case "owner":
+      return getTokenFromOwner(request, auth, target.owner, permissions);
+    /* c8 ignore next 2 */
+    default:
+      throw new Error(`Unsupported installation target type: ${target.type}`);
+  }
+}
+
+function createTokenRetryOptions(core, targetDescription) {
+  return {
+    shouldRetry: ({ error }) => error.status >= 500 || isNetworkError(error),
+    onFailedAttempt: (context) => {
+      core.info(
+        `Failed to create token for ${targetDescription} (attempt ${context.attemptNumber}): ${context.error.message}`
+      );
+    },
+    retries: 3,
+  };
+}
+
+async function createInstallationAuthResult(
+  auth,
+  installation,
+  permissions,
+  options = {},
+) {
+  const authentication = await auth({
+    type: "installation",
+    installationId: installation.id,
+    permissions,
+    ...options,
+  });
+
+  return {
+    authentication,
+    installationId: installation.id,
+    appSlug: installation["app_slug"],
+  };
+}
+
 async function getTokenFromOwner(request, auth, parsedOwner, permissions) {
   // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app
   // This endpoint works for both users and organizations
@@ -139,17 +187,8 @@ async function getTokenFromOwner(request, auth, parsedOwner, permissions) {
     },
   });
 
-  // Get token for for all repositories of the given installation
-  const authentication = await auth({
-    type: "installation",
-    installationId: response.data.id,
-    permissions,
-  });
-
-  const installationId = response.data.id;
-  const appSlug = response.data["app_slug"];
-
-  return { authentication, installationId, appSlug };
+  // Get token for all repositories of the given installation
+  return createInstallationAuthResult(auth, response.data, permissions);
 }
 
 async function getTokenFromRepository(
@@ -169,15 +208,30 @@ async function getTokenFromRepository(
   });
 
   // Get token for given repositories
-  const authentication = await auth({
-    type: "installation",
-    installationId: response.data.id,
+  return createInstallationAuthResult(auth, response.data, permissions, {
     repositoryNames: parsedRepositoryNames,
-    permissions,
   });
-
-  const installationId = response.data.id;
-  const appSlug = response.data["app_slug"];
-
-  return { authentication, installationId, appSlug };
+}
+
+async function getTokenFromEnterprise(request, auth, enterprise, permissions) {
+  let response;
+  try {
+    response = await request("GET /enterprises/{enterprise}/installation", {
+      enterprise,
+      request: {
+        hook: auth.hook,
+      },
+    });
+  } catch (error) {
+    if (error.status === 404) {
+      throw new Error(
+        `No enterprise installation found matching the enterprise slug "${enterprise}".`
+      );
+    }
+
+    throw error;
+  }
+
+  // Get token for the enterprise installation
+  return createInstallationAuthResult(auth, response.data, permissions);
 }

main.js

@@ -23,6 +23,7 @@ async function run() {
     throw new Error("The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.");
   }
   const privateKey = core.getInput("private-key");
+  const enterprise = core.getInput("enterprise");
   const owner = core.getInput("owner");
   const repositories = core
     .getInput("repositories")
@@ -37,6 +38,7 @@ async function run() {
   return main(
     clientId,
     privateKey,
+    enterprise,
     owner,
     repositories,
     permissions,

package-lock.json

@@ -9,27 +9,28 @@
       "version": "3.1.1",
       "license": "MIT",
       "dependencies": {
-        "@actions/core": "^3.0.0",
+        "@actions/core": "^3.0.1",
         "@octokit/auth-app": "^8.2.0",
         "@octokit/request": "^10.0.8",
+        "is-network-error": "^1.3.2",
         "p-retry": "^8.0.0"
       },
       "devDependencies": {
         "@octokit/openapi": "^22.0.0",
         "c8": "^11.0.0",
-        "esbuild": "^0.27.4",
+        "esbuild": "^0.28.0",
         "open-cli": "^9.0.0",
-        "undici": "^7.24.6",
-        "yaml": "^2.8.3"
+        "undici": "^8.2.0",
+        "yaml": "^2.8.4"
       },
       "engines": {
         "node": ">=24.4.0"
       }
     },
     "node_modules/@actions/core": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-3.0.0.tgz",
-      "integrity": "sha512-zYt6cz+ivnTmiT/ksRVriMBOiuoUpDCJJlZ5KPl2/FRdvwU3f7MPh9qftvbkXJThragzUZieit2nyHUyw53Seg==",
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-3.0.1.tgz",
+      "integrity": "sha512-a6d/Nwahm9fliVGRhdhofo40HjHQasUPusmc7vBfyky+7Z+P2A1J68zyFVaNcEclc/Se+eO595oAr5nwEIoIUA==",
       "license": "MIT",
       "dependencies": {
         "@actions/exec": "^3.0.0",
@@ -91,9 +92,9 @@
       }
     },
     "node_modules/@esbuild/aix-ppc64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.4.tgz",
-      "integrity": "sha512-cQPwL2mp2nSmHHJlCyoXgHGhbEPMrEEU5xhkcy3Hs/O7nGZqEpZ2sUtLaL9MORLtDfRvVl2/3PAuEkYZH0Ty8Q==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.28.0.tgz",
+      "integrity": "sha512-lhRUCeuOyJQURhTxl4WkpFTjIsbDayJHih5kZC1giwE+MhIzAb7mEsQMqMf18rHLsrb5qI1tafG20mLxEWcWlA==",
       "cpu": [
         "ppc64"
       ],
@@ -108,9 +109,9 @@
       }
     },
     "node_modules/@esbuild/android-arm": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.4.tgz",
-      "integrity": "sha512-X9bUgvxiC8CHAGKYufLIHGXPJWnr0OCdR0anD2e21vdvgCI8lIfqFbnoeOz7lBjdrAGUhqLZLcQo6MLhTO2DKQ==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.28.0.tgz",
+      "integrity": "sha512-wqh0ByljabXLKHeWXYLqoJ5jKC4XBaw6Hk08OfMrCRd2nP2ZQ5eleDZC41XHyCNgktBGYMbqnrJKq/K/lzPMSQ==",
       "cpu": [
         "arm"
       ],
@@ -125,9 +126,9 @@
       }
     },
     "node_modules/@esbuild/android-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.4.tgz",
-      "integrity": "sha512-gdLscB7v75wRfu7QSm/zg6Rx29VLdy9eTr2t44sfTW7CxwAtQghZ4ZnqHk3/ogz7xao0QAgrkradbBzcqFPasw==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.28.0.tgz",
+      "integrity": "sha512-+WzIXQOSaGs33tLEgYPYe/yQHf0WTU0X42Jca3y8NWMbUVhp7rUnw+vAsRC/QiDrdD31IszMrZy+qwPOPjd+rw==",
       "cpu": [
         "arm64"
       ],
@@ -142,9 +143,9 @@
       }
     },
     "node_modules/@esbuild/android-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.4.tgz",
-      "integrity": "sha512-PzPFnBNVF292sfpfhiyiXCGSn9HZg5BcAz+ivBuSsl6Rk4ga1oEXAamhOXRFyMcjwr2DVtm40G65N3GLeH1Lvw==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.28.0.tgz",
+      "integrity": "sha512-+VJggoaKhk2VNNqVL7f6S189UzShHC/mR9EE8rDdSkdpN0KflSwWY/gWjDrNxxisg8Fp1ZCD9jLMo4m0OUfeUA==",
       "cpu": [
         "x64"
       ],
@@ -159,9 +160,9 @@
       }
     },
     "node_modules/@esbuild/darwin-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.4.tgz",
-      "integrity": "sha512-b7xaGIwdJlht8ZFCvMkpDN6uiSmnxxK56N2GDTMYPr2/gzvfdQN8rTfBsvVKmIVY/X7EM+/hJKEIbbHs9oA4tQ==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.28.0.tgz",
+      "integrity": "sha512-0T+A9WZm+bZ84nZBtk1ckYsOvyA3x7e2Acj1KdVfV4/2tdG4fzUp91YHx+GArWLtwqp77pBXVCPn2We7Letr0Q==",
       "cpu": [
         "arm64"
       ],
@@ -176,9 +177,9 @@
       }
     },
     "node_modules/@esbuild/darwin-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.4.tgz",
-      "integrity": "sha512-sR+OiKLwd15nmCdqpXMnuJ9W2kpy0KigzqScqHI3Hqwr7IXxBp3Yva+yJwoqh7rE8V77tdoheRYataNKL4QrPw==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.28.0.tgz",
+      "integrity": "sha512-fyzLm/DLDl/84OCfp2f/XQ4flmORsjU7VKt8HLjvIXChJoFFOIL6pLJPH4Yhd1n1gGFF9mPwtlN5Wf82DZs+LQ==",
       "cpu": [
         "x64"
       ],
@@ -193,9 +194,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.4.tgz",
-      "integrity": "sha512-jnfpKe+p79tCnm4GVav68A7tUFeKQwQyLgESwEAUzyxk/TJr4QdGog9sqWNcUbr/bZt/O/HXouspuQDd9JxFSw==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.28.0.tgz",
+      "integrity": "sha512-l9GeW5UZBT9k9brBYI+0WDffcRxgHQD8ShN2Ur4xWq/NFzUKm3k5lsH4PdaRgb2w7mI9u61nr2gI2mLI27Nh3Q==",
       "cpu": [
         "arm64"
       ],
@@ -210,9 +211,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.4.tgz",
-      "integrity": "sha512-2kb4ceA/CpfUrIcTUl1wrP/9ad9Atrp5J94Lq69w7UwOMolPIGrfLSvAKJp0RTvkPPyn6CIWrNy13kyLikZRZQ==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.28.0.tgz",
+      "integrity": "sha512-BXoQai/A0wPO6Es3yFJ7APCiKGc1tdAEOgeTNy3SsB491S3aHn4S4r3e976eUnPdU+NbdtmBuLncYir2tMU9Nw==",
       "cpu": [
         "x64"
       ],
@@ -227,9 +228,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.4.tgz",
-      "integrity": "sha512-aBYgcIxX/wd5n2ys0yESGeYMGF+pv6g0DhZr3G1ZG4jMfruU9Tl1i2Z+Wnj9/KjGz1lTLCcorqE2viePZqj4Eg==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.28.0.tgz",
+      "integrity": "sha512-CjaaREJagqJp7iTaNQjjidaNbCKYcd4IDkzbwwxtSvjI7NZm79qiHc8HqciMddQ6CKvJT6aBd8lO9kN/ZudLlw==",
       "cpu": [
         "arm"
       ],
@@ -244,9 +245,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.4.tgz",
-      "integrity": "sha512-7nQOttdzVGth1iz57kxg9uCz57dxQLHWxopL6mYuYthohPKEK0vU0C3O21CcBK6KDlkYVcnDXY099HcCDXd9dA==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.28.0.tgz",
+      "integrity": "sha512-RVyzfb3FWsGA55n6WY0MEIEPURL1FcbhFE6BffZEMEekfCzCIMtB5yyDcFnVbTnwk+CLAgTujmV/Lgvih56W+A==",
       "cpu": [
         "arm64"
       ],
@@ -261,9 +262,9 @@
       }
     },
     "node_modules/@esbuild/linux-ia32": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.4.tgz",
-      "integrity": "sha512-oPtixtAIzgvzYcKBQM/qZ3R+9TEUd1aNJQu0HhGyqtx6oS7qTpvjheIWBbes4+qu1bNlo2V4cbkISr8q6gRBFA==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.28.0.tgz",
+      "integrity": "sha512-KBnSTt1kxl9x70q+ydterVdl+Cn0H18ngRMRCEQfrbqdUuntQQ0LoMZv47uB97NljZFzY6HcfqEZ2SAyIUTQBQ==",
       "cpu": [
         "ia32"
       ],
@@ -278,9 +279,9 @@
       }
     },
     "node_modules/@esbuild/linux-loong64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.4.tgz",
-      "integrity": "sha512-8mL/vh8qeCoRcFH2nM8wm5uJP+ZcVYGGayMavi8GmRJjuI3g1v6Z7Ni0JJKAJW+m0EtUuARb6Lmp4hMjzCBWzA==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.28.0.tgz",
+      "integrity": "sha512-zpSlUce1mnxzgBADvxKXX5sl8aYQHo2ezvMNI8I0lbblJtp8V4odlm3Yzlj7gPyt3T8ReksE6bK+pT3WD+aJRg==",
       "cpu": [
         "loong64"
       ],
@@ -295,9 +296,9 @@
       }
     },
     "node_modules/@esbuild/linux-mips64el": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.4.tgz",
-      "integrity": "sha512-1RdrWFFiiLIW7LQq9Q2NES+HiD4NyT8Itj9AUeCl0IVCA459WnPhREKgwrpaIfTOe+/2rdntisegiPWn/r/aAw==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.28.0.tgz",
+      "integrity": "sha512-2jIfP6mmjkdmeTlsX/9vmdmhBmKADrWqN7zcdtHIeNSCH1SqIoNI63cYsjQR8J+wGa4Y5izRcSHSm8K3QWmk3w==",
       "cpu": [
         "mips64el"
       ],
@@ -312,9 +313,9 @@
       }
     },
     "node_modules/@esbuild/linux-ppc64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.4.tgz",
-      "integrity": "sha512-tLCwNG47l3sd9lpfyx9LAGEGItCUeRCWeAx6x2Jmbav65nAwoPXfewtAdtbtit/pJFLUWOhpv0FpS6GQAmPrHA==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.28.0.tgz",
+      "integrity": "sha512-bc0FE9wWeC0WBm49IQMPSPILRocGTQt3j5KPCA8os6VprfuJ7KD+5PzESSrJ6GmPIPJK965ZJHTUlSA6GNYEhg==",
       "cpu": [
         "ppc64"
       ],
@@ -329,9 +330,9 @@
       }
     },
     "node_modules/@esbuild/linux-riscv64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.4.tgz",
-      "integrity": "sha512-BnASypppbUWyqjd1KIpU4AUBiIhVr6YlHx/cnPgqEkNoVOhHg+YiSVxM1RLfiy4t9cAulbRGTNCKOcqHrEQLIw==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.28.0.tgz",
+      "integrity": "sha512-SQPZOwoTTT/HXFXQJG/vBX8sOFagGqvZyXcgLA3NhIqcBv1BJU1d46c0rGcrij2B56Z2rNiSLaZOYW5cUk7yLQ==",
       "cpu": [
         "riscv64"
       ],
@@ -346,9 +347,9 @@
       }
     },
     "node_modules/@esbuild/linux-s390x": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.4.tgz",
-      "integrity": "sha512-+eUqgb/Z7vxVLezG8bVB9SfBie89gMueS+I0xYh2tJdw3vqA/0ImZJ2ROeWwVJN59ihBeZ7Tu92dF/5dy5FttA==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.28.0.tgz",
+      "integrity": "sha512-SCfR0HN8CEEjnYnySJTd2cw0k9OHB/YFzt5zgJEwa+wL/T/raGWYMBqwDNAC6dqFKmJYZoQBRfHjgwLHGSrn3Q==",
       "cpu": [
         "s390x"
       ],
@@ -363,9 +364,9 @@
       }
     },
     "node_modules/@esbuild/linux-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.4.tgz",
-      "integrity": "sha512-S5qOXrKV8BQEzJPVxAwnryi2+Iq5pB40gTEIT69BQONqR7JH1EPIcQ/Uiv9mCnn05jff9umq/5nqzxlqTOg9NA==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.28.0.tgz",
+      "integrity": "sha512-us0dSb9iFxIi8srnpl931Nvs65it/Jd2a2K3qs7fz2WfGPHqzfzZTfec7oxZJRNPXPnNYZtanmRc4AL/JwVzHQ==",
       "cpu": [
         "x64"
       ],
@@ -380,9 +381,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.4.tgz",
-      "integrity": "sha512-xHT8X4sb0GS8qTqiwzHqpY00C95DPAq7nAwX35Ie/s+LO9830hrMd3oX0ZMKLvy7vsonee73x0lmcdOVXFzd6Q==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.28.0.tgz",
+      "integrity": "sha512-CR/RYotgtCKwtftMwJlUU7xCVNg3lMYZ0RzTmAHSfLCXw3NtZtNpswLEj/Kkf6kEL3Gw+BpOekRX0BYCtklhUw==",
       "cpu": [
         "arm64"
       ],
@@ -397,9 +398,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.4.tgz",
-      "integrity": "sha512-RugOvOdXfdyi5Tyv40kgQnI0byv66BFgAqjdgtAKqHoZTbTF2QqfQrFwa7cHEORJf6X2ht+l9ABLMP0dnKYsgg==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.28.0.tgz",
+      "integrity": "sha512-nU1yhmYutL+fQ71Kxnhg8uEOdC0pwEW9entHykTgEbna2pw2dkbFSMeqjjyHZoCmt8SBkOSvV+yNmm94aUrrqw==",
       "cpu": [
         "x64"
       ],
@@ -414,9 +415,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.4.tgz",
-      "integrity": "sha512-2MyL3IAaTX+1/qP0O1SwskwcwCoOI4kV2IBX1xYnDDqthmq5ArrW94qSIKCAuRraMgPOmG0RDTA74mzYNQA9ow==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.28.0.tgz",
+      "integrity": "sha512-cXb5vApOsRsxsEl4mcZ1XY3D4DzcoMxR/nnc4IyqYs0rTI8ZKmW6kyyg+11Z8yvgMfAEldKzP7AdP64HnSC/6g==",
       "cpu": [
         "arm64"
       ],
@@ -431,9 +432,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.4.tgz",
-      "integrity": "sha512-u8fg/jQ5aQDfsnIV6+KwLOf1CmJnfu1ShpwqdwC0uA7ZPwFws55Ngc12vBdeUdnuWoQYx/SOQLGDcdlfXhYmXQ==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.28.0.tgz",
+      "integrity": "sha512-8wZM2qqtv9UP3mzy7HiGYNH/zjTA355mpeuA+859TyR+e+Tc08IHYpLJuMsfpDJwoLo1ikIJI8jC3GFjnRClzA==",
       "cpu": [
         "x64"
       ],
@@ -448,9 +449,9 @@
       }
     },
     "node_modules/@esbuild/openharmony-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.4.tgz",
-      "integrity": "sha512-JkTZrl6VbyO8lDQO3yv26nNr2RM2yZzNrNHEsj9bm6dOwwu9OYN28CjzZkH57bh4w0I2F7IodpQvUAEd1mbWXg==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.28.0.tgz",
+      "integrity": "sha512-FLGfyizszcef5C3YtoyQDACyg95+dndv79i2EekILBofh5wpCa1KuBqOWKrEHZg3zrL3t5ouE5jgr94vA+Wb2w==",
       "cpu": [
         "arm64"
       ],
@@ -465,9 +466,9 @@
       }
     },
     "node_modules/@esbuild/sunos-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.4.tgz",
-      "integrity": "sha512-/gOzgaewZJfeJTlsWhvUEmUG4tWEY2Spp5M20INYRg2ZKl9QPO3QEEgPeRtLjEWSW8FilRNacPOg8R1uaYkA6g==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.28.0.tgz",
+      "integrity": "sha512-1ZgjUoEdHZZl/YlV76TSCz9Hqj9h9YmMGAgAPYd+q4SicWNX3G5GCyx9uhQWSLcbvPW8Ni7lj4gDa1T40akdlw==",
       "cpu": [
         "x64"
       ],
@@ -482,9 +483,9 @@
       }
     },
     "node_modules/@esbuild/win32-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.4.tgz",
-      "integrity": "sha512-Z9SExBg2y32smoDQdf1HRwHRt6vAHLXcxD2uGgO/v2jK7Y718Ix4ndsbNMU/+1Qiem9OiOdaqitioZwxivhXYg==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.28.0.tgz",
+      "integrity": "sha512-Q9StnDmQ/enxnpxCCLSg0oo4+34B9TdXpuyPeTedN/6+iXBJ4J+zwfQI28u/Jl40nOYAxGoNi7mFP40RUtkmUA==",
       "cpu": [
         "arm64"
       ],
@@ -499,9 +500,9 @@
       }
     },
     "node_modules/@esbuild/win32-ia32": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.4.tgz",
-      "integrity": "sha512-DAyGLS0Jz5G5iixEbMHi5KdiApqHBWMGzTtMiJ72ZOLhbu/bzxgAe8Ue8CTS3n3HbIUHQz/L51yMdGMeoxXNJw==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.28.0.tgz",
+      "integrity": "sha512-zF3ag/gfiCe6U2iczcRzSYJKH1DCI+ByzSENHlM2FcDbEeo5Zd2C86Aq0tKUYAJJ1obRP84ymxIAksZUcdztHA==",
       "cpu": [
         "ia32"
       ],
@@ -516,9 +517,9 @@
       }
     },
     "node_modules/@esbuild/win32-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.4.tgz",
-      "integrity": "sha512-+knoa0BDoeXgkNvvV1vvbZX4+hizelrkwmGJBdT17t8FNPwG2lKemmuMZlmaNQ3ws3DKKCxpb4zRZEIp3UxFCg==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.28.0.tgz",
+      "integrity": "sha512-pEl1bO9mfAmIC+tW5btTmrKaujg3zGtUmWNdCw/xs70FBjwAL3o9OEKNHvNmnyylD6ubxUERiEhdsL0xBQ9efw==",
       "cpu": [
         "x64"
       ],
@@ -1022,9 +1023,9 @@
       }
     },
     "node_modules/esbuild": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.4.tgz",
-      "integrity": "sha512-Rq4vbHnYkK5fws5NF7MYTU68FPRE1ajX7heQ/8QXXWqNgqqJ/GkmmyxIzUnf2Sr/bakf8l54716CcMGHYhMrrQ==",
+      "version": "0.28.0",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.28.0.tgz",
+      "integrity": "sha512-sNR9MHpXSUV/XB4zmsFKN+QgVG82Cc7+/aaxJ8Adi8hyOac+EXptIp45QBPaVyX3N70664wRbTcLTOemCAnyqw==",
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
@@ -1035,32 +1036,32 @@
         "node": ">=18"
       },
       "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.27.4",
-        "@esbuild/android-arm": "0.27.4",
-        "@esbuild/android-arm64": "0.27.4",
-        "@esbuild/android-x64": "0.27.4",
-        "@esbuild/darwin-arm64": "0.27.4",
-        "@esbuild/darwin-x64": "0.27.4",
-        "@esbuild/freebsd-arm64": "0.27.4",
-        "@esbuild/freebsd-x64": "0.27.4",
-        "@esbuild/linux-arm": "0.27.4",
-        "@esbuild/linux-arm64": "0.27.4",
-        "@esbuild/linux-ia32": "0.27.4",
-        "@esbuild/linux-loong64": "0.27.4",
-        "@esbuild/linux-mips64el": "0.27.4",
-        "@esbuild/linux-ppc64": "0.27.4",
-        "@esbuild/linux-riscv64": "0.27.4",
-        "@esbuild/linux-s390x": "0.27.4",
-        "@esbuild/linux-x64": "0.27.4",
-        "@esbuild/netbsd-arm64": "0.27.4",
-        "@esbuild/netbsd-x64": "0.27.4",
-        "@esbuild/openbsd-arm64": "0.27.4",
-        "@esbuild/openbsd-x64": "0.27.4",
-        "@esbuild/openharmony-arm64": "0.27.4",
-        "@esbuild/sunos-x64": "0.27.4",
-        "@esbuild/win32-arm64": "0.27.4",
-        "@esbuild/win32-ia32": "0.27.4",
-        "@esbuild/win32-x64": "0.27.4"
+        "@esbuild/aix-ppc64": "0.28.0",
+        "@esbuild/android-arm": "0.28.0",
+        "@esbuild/android-arm64": "0.28.0",
+        "@esbuild/android-x64": "0.28.0",
+        "@esbuild/darwin-arm64": "0.28.0",
+        "@esbuild/darwin-x64": "0.28.0",
+        "@esbuild/freebsd-arm64": "0.28.0",
+        "@esbuild/freebsd-x64": "0.28.0",
+        "@esbuild/linux-arm": "0.28.0",
+        "@esbuild/linux-arm64": "0.28.0",
+        "@esbuild/linux-ia32": "0.28.0",
+        "@esbuild/linux-loong64": "0.28.0",
+        "@esbuild/linux-mips64el": "0.28.0",
+        "@esbuild/linux-ppc64": "0.28.0",
+        "@esbuild/linux-riscv64": "0.28.0",
+        "@esbuild/linux-s390x": "0.28.0",
+        "@esbuild/linux-x64": "0.28.0",
+        "@esbuild/netbsd-arm64": "0.28.0",
+        "@esbuild/netbsd-x64": "0.28.0",
+        "@esbuild/openbsd-arm64": "0.28.0",
+        "@esbuild/openbsd-x64": "0.28.0",
+        "@esbuild/openharmony-arm64": "0.28.0",
+        "@esbuild/sunos-x64": "0.28.0",
+        "@esbuild/win32-arm64": "0.28.0",
+        "@esbuild/win32-ia32": "0.28.0",
+        "@esbuild/win32-x64": "0.28.0"
       }
     },
     "node_modules/escalade": {
@@ -1252,9 +1253,9 @@
       }
     },
     "node_modules/is-network-error": {
-      "version": "1.3.1",
-      "resolved": "https://registry.npmjs.org/is-network-error/-/is-network-error-1.3.1.tgz",
-      "integrity": "sha512-6QCxa49rQbmUWLfk0nuGqzql9U8uaV2H6279bRErPBHe/109hCzsLUBUHfbEtvLIHBd6hyXbgedBSHevm43Edw==",
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/is-network-error/-/is-network-error-1.3.2.tgz",
+      "integrity": "sha512-PhBY86zaxNZUuWP6h13Vu5oFe0XY6/UlKzQnYFELzGVHygP3MxmvTfYSG7GN3aIab/iWudSMgjSnG9Dq+nHrgA==",
       "license": "MIT",
       "engines": {
         "node": ">=16"
@@ -1785,13 +1786,13 @@
       }
     },
     "node_modules/undici": {
-      "version": "7.24.6",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.6.tgz",
-      "integrity": "sha512-Xi4agocCbRzt0yYMZGMA6ApD7gvtUFaxm4ZmeacWI4cZxaF6C+8I8QfofC20NAePiB/IcvZmzkJ7XPa471AEtA==",
+      "version": "8.2.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-8.2.0.tgz",
+      "integrity": "sha512-Z+4Hx9GE26Lh9Upwfnc8C7SsrpBPGaM/Gm6kMFtiG7c+5IvQKlXi/t+9x9DrrCh29cww5TSP9YdVaBcnLDs5fQ==",
       "dev": true,
       "license": "MIT",
       "engines": {
-        "node": ">=20.18.1"
+        "node": ">=22.19.0"
       }
     },
     "node_modules/unique-string": {
@@ -1965,9 +1966,9 @@
       "dev": true
     },
     "node_modules/yaml": {
-      "version": "2.8.3",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
-      "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==",
+      "version": "2.8.4",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.4.tgz",
+      "integrity": "sha512-ml/JPOj9fOQK8RNnWojA67GbZ0ApXAUlN2UQclwv2eVgTgn7O9gg9o7paZWKMp4g0H3nTLtS9LVzhkpOFIKzog==",
       "dev": true,
       "license": "ISC",
       "bin": {

package.json

@@ -16,45 +16,18 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@actions/core": "^3.0.0",
+    "@actions/core": "^3.0.1",
     "@octokit/auth-app": "^8.2.0",
     "@octokit/request": "^10.0.8",
+    "is-network-error": "^1.3.2",
     "p-retry": "^8.0.0"
   },
   "devDependencies": {
     "@octokit/openapi": "^22.0.0",
     "c8": "^11.0.0",
-    "esbuild": "^0.27.4",
+    "esbuild": "^0.28.0",
     "open-cli": "^9.0.0",
-    "undici": "^7.24.6",
-    "yaml": "^2.8.3"
-  },
-  "release": {
-    "branches": [
-      "+([0-9]).x",
-      "main",
-      {
-        "name": "beta",
-        "prerelease": true
-      }
-    ],
-    "plugins": [
-      "@semantic-release/commit-analyzer",
-      "@semantic-release/release-notes-generator",
-      "@semantic-release/github",
-      "@semantic-release/npm",
-      "semantic-release-plugin-github-breaking-version-tag",
-      [
-        "@semantic-release/git",
-        {
-          "assets": [
-            "package.json",
-            "package-lock.json",
-            "dist/*"
-          ],
-          "message": "build(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
-        }
-      ]
-    ]
+    "undici": "^8.2.0",
+    "yaml": "^2.8.4"
   }
 }

release-please-config.beta.json

@@ -0,0 +1,12 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "packages": {
+    ".": {
+      "prerelease": true,
+      "prerelease-type": "beta",
+      "include-component-in-tag": false,
+      "release-type": "node",
+      "versioning": "prerelease"
+    }
+  }
+}

release-please-config.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "packages": {
+    ".": {
+      "include-component-in-tag": false,
+      "release-type": "node"
+    }
+  }
+}

tests/index.js

@@ -11,11 +11,24 @@ snapshot.setDefaultSnapshotSerializers([
   (value) => (typeof value === "string" ? value : undefined),
 ]);
 
+function normalizeStderr(stderr) {
+  return stderr
+    .replaceAll(/\u001B\[[0-9;]*m/g, "")
+    .replaceAll(process.cwd(), "<cwd>")
+    .replaceAll(/:\d+:\d+/g, ":<line>:<column>");
+}
+
 // Get all files in tests directory
 const files = readdirSync("tests");
 
 // Files to ignore
-const ignore = ["index.js", "index.js.snapshot", "main.js", "README.md"];
+const ignore = [
+  "index.js",
+  "index.js.snapshot",
+  "main.js",
+  "mock-agent.js",
+  "README.md",
+];
 
 const testFiles = files.filter((file) => !ignore.includes(file)).sort();
 
@@ -39,10 +52,19 @@ for (const file of testFiles) {
       NODE_USE_ENV_PROXY,
       ...env
     } = process.env;
-    const { stderr, stdout } = await execFileAsync("node", [`tests/${file}`], {
-      env,
-    });
-    const trimmedStderr = stderr.replace(/\r?\n$/, "");
+    let stderr, stdout;
+    try {
+      ({ stderr, stdout } = await execFileAsync("node", [`tests/${file}`], {
+        env,
+      }));
+    } catch (error) {
+      if (!(error instanceof Error) || !("stderr" in error) || !("stdout" in error)) {
+        throw error;
+      }
+
+      ({ stderr, stdout } = error);
+    }
+    const trimmedStderr = normalizeStderr(stderr).replace(/\r?\n$/, "");
     const trimmedStdout = stdout.replace(/\r?\n$/, "");
     await t.test("stderr", (t) => {
       if (trimmedStderr) t.assert.snapshot(trimmedStderr);

tests/index.js.snapshot

@@ -38,7 +38,6 @@ POST /app/installations/123456/access_tokens
 
 exports[`main-custom-github-api-url.test.js > stdout 1`] = `
 Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
-      
 - actions/create-github-app-token
 ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
 
@@ -55,6 +54,105 @@ POST /api/v3/app/installations/123456/access_tokens
 {"repositories":["create-github-app-token"]}
 `;
 
+exports[`main-enterprise-fail-response.test.js > stdout 1`] = `
+Creating enterprise installation token for enterprise "test-enterprise".
+Failed to create token for enterprise "test-enterprise" (attempt 1): GitHub API not available
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /enterprises/test-enterprise/installation
+GET /enterprises/test-enterprise/installation
+POST /app/installations/123456/access_tokens
+null
+`;
+
+exports[`main-enterprise-installation-not-found.test.js > stderr 1`] = `
+Error: No enterprise installation found matching the enterprise slug "test-enterprise".
+    at getTokenFromEnterprise (file://<cwd>/lib/main.js:<line>:<column>)
+    at process.processTicksAndRejections (node:internal/process/task_queues:<line>:<column>)
+    at async pRetry (file://<cwd>/node_modules/p-retry/index.js:<line>:<column>)
+    at async main (file://<cwd>/lib/main.js:<line>:<column>)
+    at async test (file://<cwd>/tests/main.js:<line>:<column>)
+    at async file://<cwd>/tests/main-enterprise-installation-not-found.test.js:<line>:<column>
+`;
+
+exports[`main-enterprise-installation-not-found.test.js > stdout 1`] = `
+Creating enterprise installation token for enterprise "test-enterprise".
+Failed to create token for enterprise "test-enterprise" (attempt 1): No enterprise installation found matching the enterprise slug "test-enterprise".
+::error::No enterprise installation found matching the enterprise slug "test-enterprise".
+--- REQUESTS ---
+GET /enterprises/test-enterprise/installation
+`;
+
+exports[`main-enterprise-mutual-exclusivity-owner.test.js > stderr 1`] = `
+Error: Cannot use 'enterprise' input with 'owner' or 'repositories' inputs
+    at main (file://<cwd>/lib/main.js:<line>:<column>)
+    at run (file://<cwd>/main.js:<line>:<column>)
+    at file://<cwd>/main.js:<line>:<column>
+    at ModuleJob.run (node:internal/modules/esm/module_job:<line>:<column>)
+    at async onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:<line>:<column>)
+    at async file://<cwd>/tests/main-enterprise-mutual-exclusivity-owner.test.js:<line>:<column>
+`;
+
+exports[`main-enterprise-mutual-exclusivity-owner.test.js > stdout 1`] = `
+::error::Cannot use 'enterprise' input with 'owner' or 'repositories' inputs
+`;
+
+exports[`main-enterprise-mutual-exclusivity-repositories.test.js > stderr 1`] = `
+Error: Cannot use 'enterprise' input with 'owner' or 'repositories' inputs
+    at main (file://<cwd>/lib/main.js:<line>:<column>)
+    at run (file://<cwd>/main.js:<line>:<column>)
+    at file://<cwd>/main.js:<line>:<column>
+    at ModuleJob.run (node:internal/modules/esm/module_job:<line>:<column>)
+    at async onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:<line>:<column>)
+    at async file://<cwd>/tests/main-enterprise-mutual-exclusivity-repositories.test.js:<line>:<column>
+`;
+
+exports[`main-enterprise-mutual-exclusivity-repositories.test.js > stdout 1`] = `
+::error::Cannot use 'enterprise' input with 'owner' or 'repositories' inputs
+`;
+
+exports[`main-enterprise-only-success.test.js > stdout 1`] = `
+Creating enterprise installation token for enterprise "test-enterprise".
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /enterprises/test-enterprise/installation
+POST /app/installations/123456/access_tokens
+null
+`;
+
+exports[`main-enterprise-token-permissions-set.test.js > stdout 1`] = `
+Creating enterprise installation token for enterprise "test-enterprise".
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /enterprises/test-enterprise/installation
+POST /app/installations/123456/access_tokens
+{"permissions":{"enterprise_custom_properties_for_organizations":"read"}}
+`;
+
 exports[`main-missing-client-and-app-id.test.js > stderr 1`] = `
 The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.
 `;
@@ -103,7 +201,6 @@ exports[`main-repo-skew.test.js > stderr 1`] = `
 
 exports[`main-repo-skew.test.js > stdout 1`] = `
 Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
-      
 - actions/failed-repo
 ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
 
@@ -121,6 +218,45 @@ POST /app/installations/123456/access_tokens
 {"repositories":["failed-repo"]}
 `;
 
+exports[`main-token-get-owner-set-client-error.test.js > stderr 1`] = `
+RequestError [HttpError]: Forbidden
+    at fetchWrapper (file://<cwd>/node_modules/@octokit/request/dist-bundle/index.js:<line>:<column>)
+    at process.processTicksAndRejections (node:internal/process/task_queues:<line>:<column>)
+    at async hook (file://<cwd>/node_modules/@octokit/auth-app/dist-node/index.js:<line>:<column>)
+    at async getTokenFromOwner (file://<cwd>/lib/main.js:<line>:<column>)
+    at async pRetry (file://<cwd>/node_modules/p-retry/index.js:<line>:<column>)
+    at async main (file://<cwd>/lib/main.js:<line>:<column>)
+    at async test (file://<cwd>/tests/main.js:<line>:<column>)
+    at async file://<cwd>/tests/main-token-get-owner-set-client-error.test.js:<line>:<column> {
+  status: 403,
+  request: {
+    method: 'GET',
+    url: 'https://api.github.com/users/smockle/installation',
+    headers: {
+      accept: 'application/vnd.github.v3+json',
+      'user-agent': 'actions/create-github-app-token',
+      authorization: 'bearer [REDACTED]'
+    },
+    request: { hook: [Function: bound hook] AsyncFunction }
+  },
+  response: {
+    url: 'https://api.github.com/users/smockle/installation',
+    status: 403,
+    headers: { 'content-type': 'application/json' },
+    data: { message: 'Forbidden' }
+  },
+  [cause]: undefined
+}
+`;
+
+exports[`main-token-get-owner-set-client-error.test.js > stdout 1`] = `
+Input 'repositories' is not set. Creating token for all repositories owned by smockle.
+Failed to create token for "smockle" (attempt 1): Forbidden
+::error::Forbidden
+--- REQUESTS ---
+GET /users/smockle/installation
+`;
+
 exports[`main-token-get-owner-set-fail-response.test.js > stdout 1`] = `
 Input 'repositories' is not set. Creating token for all repositories owned by smockle.
 Failed to create token for "smockle" (attempt 1): GitHub API not available
@@ -142,9 +278,8 @@ null
 
 exports[`main-token-get-owner-set-repo-fail-response.test.js > stdout 1`] = `
 Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
-      
 - actions/failed-repo
-Failed to create token for "failed-repo" (attempt 1): GitHub API not available
+Failed to create token for "actions/failed-repo" (attempt 1): GitHub API not available
 ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
 
 ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
@@ -161,9 +296,28 @@ POST /app/installations/123456/access_tokens
 {"repositories":["failed-repo"]}
 `;
 
+exports[`main-token-get-owner-set-repo-network-error.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+- actions/network-repo
+Failed to create token for "actions/network-repo" (attempt 1): fetch failed
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/network-repo/installation
+GET /repos/actions/network-repo/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["network-repo"]}
+`;
+
 exports[`main-token-get-owner-set-repo-set-to-many-newline.test.js > stdout 1`] = `
 Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
-      
 - actions/create-github-app-token
 - actions/toolkit
 - actions/checkout
@@ -184,7 +338,6 @@ POST /app/installations/123456/access_tokens
 
 exports[`main-token-get-owner-set-repo-set-to-many.test.js > stdout 1`] = `
 Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
-      
 - actions/create-github-app-token
 - actions/toolkit
 - actions/checkout
@@ -205,7 +358,6 @@ POST /app/installations/123456/access_tokens
 
 exports[`main-token-get-owner-set-repo-set-to-one.test.js > stdout 1`] = `
 Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
-      
 - actions/create-github-app-token
 ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
 

tests/main-enterprise-fail-response.test.js

@@ -0,0 +1,39 @@
+import { test } from "./main.js";
+
+// Verify enterprise installation lookup retries when the GitHub API returns a 500 error.
+await test((mockPool) => {
+  process.env.INPUT_ENTERPRISE = "test-enterprise";
+  delete process.env.INPUT_OWNER;
+  delete process.env.INPUT_REPOSITORIES;
+
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+
+  mockPool
+    .intercept({
+      path: "/enterprises/test-enterprise/installation",
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(500, "GitHub API not available");
+
+  mockPool
+    .intercept({
+      path: "/enterprises/test-enterprise/installation",
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId, app_slug: mockAppSlug },
+      { headers: { "content-type": "application/json" } },
+    );
+});

tests/main-enterprise-installation-not-found.test.js

@@ -0,0 +1,25 @@
+import { test } from "./main.js";
+
+// Verify `main` handles when no enterprise installation is found.
+await test((mockPool) => {
+  delete process.env.INPUT_OWNER;
+  delete process.env.INPUT_REPOSITORIES;
+  process.env.INPUT_ENTERPRISE = "test-enterprise";
+
+  // Mock the enterprise installation endpoint to return no matching installation
+  mockPool
+    .intercept({
+      path: "/enterprises/test-enterprise/installation",
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      404,
+      { message: "Not Found" },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main-enterprise-mutual-exclusivity-owner.test.js

@@ -0,0 +1,13 @@
+import { DEFAULT_ENV } from "./main.js";
+
+// Verify `main` exits with an error when `enterprise` is used with `owner` input.
+// Set up environment with enterprise and owner set
+for (const [key, value] of Object.entries(DEFAULT_ENV)) {
+  process.env[key] = value;
+}
+
+process.env.INPUT_ENTERPRISE = "test-enterprise";
+process.env.INPUT_OWNER = "test-owner";
+
+const { default: promise } = await import("../main.js");
+await promise;

tests/main-enterprise-mutual-exclusivity-repositories.test.js

@@ -0,0 +1,13 @@
+import { DEFAULT_ENV } from "./main.js";
+
+// Verify `main` exits with an error when `enterprise` is used with `repositories` input.
+// Set up environment with enterprise and repositories set
+for (const [key, value] of Object.entries(DEFAULT_ENV)) {
+  process.env[key] = value;
+}
+
+process.env.INPUT_ENTERPRISE = "test-enterprise";
+process.env.INPUT_REPOSITORIES = "repo1,repo2";
+
+const { default: promise } = await import("../main.js");
+await promise;

tests/main-enterprise-only-success.test.js

@@ -0,0 +1,30 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when only the `enterprise` input is set.
+await test((mockPool) => {
+  process.env.INPUT_ENTERPRISE = "test-enterprise";
+  delete process.env.INPUT_OWNER;
+  delete process.env.INPUT_REPOSITORIES;
+
+  // Mock the enterprise installation endpoint
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+  mockPool
+    .intercept({
+      path: "/enterprises/test-enterprise/installation",
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      {
+        id: mockInstallationId,
+        app_slug: mockAppSlug,
+      },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main-enterprise-token-permissions-set.test.js

@@ -0,0 +1,34 @@
+import { test } from "./main.js";
+
+// Use a declared enterprise permission from the generated schema to verify
+// enterprise token requests forward permission inputs to token creation.
+await test((mockPool) => {
+  process.env.INPUT_ENTERPRISE = "test-enterprise";
+  delete process.env.INPUT_OWNER;
+  delete process.env.INPUT_REPOSITORIES;
+  process.env[
+    "INPUT_PERMISSION-ENTERPRISE-CUSTOM-PROPERTIES-FOR-ORGANIZATIONS"
+  ] = "read";
+
+  // Mock the enterprise installation endpoint
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+  mockPool
+    .intercept({
+      path: "/enterprises/test-enterprise/installation",
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      {
+        id: mockInstallationId,
+        app_slug: mockAppSlug,
+      },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main-token-get-owner-set-client-error.test.js

@@ -0,0 +1,23 @@
+import { test } from "./main.js";
+
+// Verify client errors are not retried when getting a token for a user or organization.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = "smockle";
+  delete process.env.INPUT_REPOSITORIES;
+
+  mockPool
+    .intercept({
+      path: "/users/smockle/installation",
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      403,
+      { message: "Forbidden" },
+      { headers: { "content-type": "application/json" } },
+    );
+});

tests/main-token-get-owner-set-repo-network-error.test.js

@@ -0,0 +1,39 @@
+import { test } from "./main.js";
+
+// Verify transient network errors are retried when getting a repository token.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = "actions";
+  process.env.INPUT_REPOSITORIES = "network-repo";
+  const owner = process.env.INPUT_OWNER;
+  const repo = process.env.INPUT_REPOSITORIES;
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+
+  mockPool
+    .intercept({
+      path: `/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .replyWithError(new TypeError("fetch failed"));
+
+  mockPool
+    .intercept({
+      path: `/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId, app_slug: mockAppSlug },
+      { headers: { "content-type": "application/json" } },
+    );
+});

tests/main.js

@@ -1,6 +1,6 @@
 // Base for all `main` tests.
 // @ts-check
-import { MockAgent, setGlobalDispatcher } from "undici";
+import { createMockAgent } from "./mock-agent.js";
 
 export const DEFAULT_ENV = {
   GITHUB_REPOSITORY_OWNER: "actions",
@@ -50,9 +50,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
   // Set up mocking
   const baseUrl = new URL(env["INPUT_GITHUB-API-URL"]);
   const basePath = baseUrl.pathname === "/" ? "" : baseUrl.pathname;
-  const mockAgent = new MockAgent({ enableCallHistory: true });
-  mockAgent.disableNetConnect();
-  setGlobalDispatcher(mockAgent);
+  const mockAgent = createMockAgent({ enableCallHistory: true });
   const mockPool = mockAgent.get(baseUrl.origin);
 
   // Calling `auth({ type: "app" })` to obtain a JWT doesn’t make network requests, so no need to intercept.

tests/mock-agent.js

@@ -0,0 +1,12 @@
+import { install, MockAgent, setGlobalDispatcher } from "undici";
+
+// Ensure MockAgent intercepts requests made through global fetch.
+install();
+
+export function createMockAgent(options) {
+  const mockAgent = new MockAgent(options);
+  mockAgent.disableNetConnect();
+  setGlobalDispatcher(mockAgent);
+
+  return mockAgent;
+}

tests/post-revoke-token-fail-response.test.js

@@ -1,4 +1,4 @@
-import { MockAgent, setGlobalDispatcher } from "undici";
+import { createMockAgent } from "./mock-agent.js";
 
 // state variables are set as environment variables with the prefix STATE_
 // https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
@@ -14,9 +14,7 @@ process.env.STATE_expiresAt = new Date(
   Date.now() + 1000 * 60 * 60
 ).toISOString();
 
-const mockAgent = new MockAgent();
-
-setGlobalDispatcher(mockAgent);
+const mockAgent = createMockAgent();
 
 // Provide the base url to the request
 const mockPool = mockAgent.get("https://api.github.com");

tests/post-token-expired.test.js

@@ -1,4 +1,4 @@
-import { MockAgent, setGlobalDispatcher } from "undici";
+import { createMockAgent } from "./mock-agent.js";
 
 // state variables are set as environment variables with the prefix STATE_
 // https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
@@ -11,9 +11,7 @@ process.env.STATE_expiresAt = new Date(Date.now() - 1000 * 60 * 60).toISOString(
 // https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
 process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
 
-const mockAgent = new MockAgent();
-
-setGlobalDispatcher(mockAgent);
+const mockAgent = createMockAgent();
 
 // Provide the base url to the request
 const mockPool = mockAgent.get("https://api.github.com");

tests/post-token-set.test.js

@@ -1,4 +1,4 @@
-import { MockAgent, setGlobalDispatcher } from "undici";
+import { createMockAgent } from "./mock-agent.js";
 
 // state variables are set as environment variables with the prefix STATE_
 // https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
@@ -12,9 +12,7 @@ process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
 // 1 hour in the future, not expired
 process.env.STATE_expiresAt = new Date(Date.now() + 1000 * 60 * 60).toISOString();
 
-const mockAgent = new MockAgent();
-
-setGlobalDispatcher(mockAgent);
+const mockAgent = createMockAgent();
 
 // Provide the base url to the request
 const mockPool = mockAgent.get("https://api.github.com");

tests/post-token-skipped.test.js

@@ -1,4 +1,4 @@
-import { MockAgent, setGlobalDispatcher } from "undici";
+import { createMockAgent } from "./mock-agent.js";
 
 // state variables are set as environment variables with the prefix STATE_
 // https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
@@ -8,9 +8,7 @@ process.env.STATE_token = "secret123";
 // https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
 process.env["INPUT_SKIP-TOKEN-REVOKE"] = "true";
 
-const mockAgent = new MockAgent();
-
-setGlobalDispatcher(mockAgent);
+const mockAgent = createMockAgent();
 
 // Provide the base url to the request
 const mockPool = mockAgent.get("https://api.github.com");