ci: use existing release tag format

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

.github/workflows/publish-immutable-action.yml

@@ -1,17 +0,0 @@
-name: 'Publish Immutable Action'
-
-on:
-  release:
-    types: [published]
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-    steps:
-      - uses: actions/checkout@v6
-      - name: Publish Immutable Action
-        uses: actions/publish-immutable-action@v0.0.4

.github/workflows/release.yml

@@ -1,6 +1,7 @@
 name: release
 
 on:
+  workflow_dispatch:
   push:
     branches:
       - "*.x"
@@ -17,24 +18,64 @@ jobs:
     name: release
     runs-on: ubuntu-latest
     steps:
-      # build local version to create token
       - uses: actions/checkout@v6
-        with:
-          persist-credentials: false
 
-      - uses: actions/setup-node@v6
-        with:
-          node-version-file: package.json
-
-      - run: npm ci
-      - run: npm run build
       - uses: ./
         id: app-token
         with:
           app-id: ${{ vars.RELEASER_APP_ID }}
           private-key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }}
-      # install release dependencies and release
-      - run: npm install --no-save @semantic-release/git semantic-release-plugin-github-breaking-version-tag
-      - run: npx semantic-release --debug
+
+      - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
+        id: release-please
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          config-file: ${{ github.ref_name == 'beta' && 'release-please-config.beta.json' || 'release-please-config.json' }}
+          manifest-file: .release-please-manifest.json
+          target-branch: ${{ github.ref_name }}
+
+      - uses: actions/checkout@v6
+        if: steps.release-please.outputs.prs_created == 'true'
+        with:
+          ref: ${{ fromJSON(steps.release-please.outputs.pr).headBranchName }}
+          token: ${{ steps.app-token.outputs.token }}
+
+      - uses: actions/setup-node@v6
+        if: steps.release-please.outputs.prs_created == 'true'
+        with:
+          node-version-file: package.json
+
+      - run: npm ci
+        if: steps.release-please.outputs.prs_created == 'true'
+
+      - run: npm run build
+        if: steps.release-please.outputs.prs_created == 'true'
+
+      - uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
+        if: steps.release-please.outputs.prs_created == 'true'
+        with:
+          commit_author: "${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com>"
+          commit_message: "chore: update dist files"
+          file_pattern: dist/**
+
+      - name: Update major version tag
+        id: update-major-tag
+        if: steps.release-please.outputs.release_created == 'true' && github.ref_name != 'beta'
+        uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae # v3.0.0
+        continue-on-error: true
+        with:
+          route: PATCH /repos/${{ github.repository }}/git/refs/tags/v${{ steps.release-please.outputs.major }}
+          sha: ${{ steps.release-please.outputs.sha }}
+          force: true
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+
+      - name: Create major version tag
+        if: steps.release-please.outputs.release_created == 'true' && github.ref_name != 'beta' && steps.update-major-tag.outcome == 'failure'
+        uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae # v3.0.0
+        with:
+          route: POST /repos/${{ github.repository }}/git/refs
+          ref: refs/tags/v${{ steps.release-please.outputs.major }}
+          sha: ${{ steps.release-please.outputs.sha }}
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "3.1.1"
+}

README.md

@@ -9,12 +9,10 @@ GitHub Action for creating a GitHub App installation access token.
 In order to use this action, you need to:
 
 1. [Register new GitHub App](https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app).
-2. [Store the App's Client ID in your repository environment variables](https://docs.github.com/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_CLIENT_ID`).
-3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets?tool=webui#creating-encrypted-secrets-for-a-repository) (example: `PRIVATE_KEY`).
+2. [Store the App's Client ID in your repository variables](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_CLIENT_ID`).
+3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets?tool=webui#creating-secrets-for-a-repository) (example: `APP_PRIVATE_KEY`).
 
-Pass the App's Client ID using the `client-id` input. The legacy `app-id` input remains available for compatibility, but is deprecated.
-
-> [!IMPORTANT]  
+> [!IMPORTANT]
 > An installation access token expires after 1 hour. Please [see this comment](https://github.com/actions/create-github-app-token/issues/121#issuecomment-2043214796) for alternative approaches if you have long-running processes.
 
 ### Create a token for the current repository
@@ -34,7 +32,7 @@ jobs:
         id: app-token
         with:
           client-id: ${{ vars.APP_CLIENT_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - uses: ./actions/staging-tests
         with:
           token: ${{ steps.app-token.outputs.token }}
@@ -54,7 +52,7 @@ jobs:
         with:
           # required
           client-id: ${{ vars.APP_CLIENT_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - uses: actions/checkout@v6
         with:
           token: ${{ steps.app-token.outputs.token }}
@@ -80,7 +78,7 @@ jobs:
         with:
           # required
           client-id: ${{ vars.APP_CLIENT_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: Get GitHub App User ID
         id: get-user-id
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
@@ -105,7 +103,7 @@ jobs:
         with:
           # required
           client-id: ${{ vars.APP_CLIENT_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: Get GitHub App User ID
         id: get-user-id
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
@@ -141,7 +139,7 @@ jobs:
         id: app-token
         with:
           client-id: ${{ vars.APP_CLIENT_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
       - uses: peter-evans/create-or-update-comment@v4
         with:
@@ -163,7 +161,7 @@ jobs:
         id: app-token
         with:
           client-id: ${{ vars.APP_CLIENT_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           repositories: |
             repo1
@@ -188,7 +186,7 @@ jobs:
         id: app-token
         with:
           client-id: ${{ vars.APP_CLIENT_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: another-owner
       - uses: peter-evans/create-or-update-comment@v4
         with:
@@ -213,7 +211,7 @@ jobs:
         id: app-token
         with:
           client-id: ${{ vars.APP_CLIENT_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           permission-issues: write
       - uses: peter-evans/create-or-update-comment@v4
@@ -255,7 +253,7 @@ jobs:
         id: app-token
         with:
           client-id: ${{ vars.APP_CLIENT_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: ${{ matrix.owners-and-repos.owner }}
           repositories: ${{ join(matrix.owners-and-repos.repos) }}
       - uses: octokit/request-action@v2.x
@@ -313,23 +311,17 @@ If you set `HTTP_PROXY` or `HTTPS_PROXY`, also set `NODE_USE_ENV_PROXY: "1"` on
     NODE_USE_ENV_PROXY: "1"
   with:
     client-id: ${{ vars.APP_CLIENT_ID }}
-    private-key: ${{ secrets.PRIVATE_KEY }}
+    private-key: ${{ secrets.APP_PRIVATE_KEY }}
 ```
 
 ## Inputs
 
-### `client-id`
+### `client-id` or `app-id`
 
-**Optional:** GitHub App Client ID. This is the recommended input.
+**Required:** GitHub App Client ID.
 
-### `app-id`
-
-**Optional:** GitHub App ID.
-
-> [!WARNING]
-> `app-id` is deprecated. Use `client-id` instead.
-
-You must set either `client-id` or `app-id`. If both are set, `client-id` takes precedence.
+> [!NOTE]
+> The legacy `app-id` input is also accepted, but `client-id` is recommended.
 
 ### `private-key`
 
@@ -342,7 +334,7 @@ steps:
   - name: Decode the GitHub App Private Key
     id: decode
     run: |
-      private_key=$(echo "${{ secrets.PRIVATE_KEY }}" | base64 -d | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2) &> /dev/null
+      private_key=$(echo "${{ secrets.APP_PRIVATE_KEY }}" | base64 -d | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2) &> /dev/null
       echo "::add-mask::$private_key"
       echo "private-key=$private_key" >> "$GITHUB_OUTPUT"
   - name: Generate GitHub App Token

action.yml

@@ -35,6 +35,10 @@ inputs:
     description: "The level of permission to grant the access token for GitHub Actions workflows, workflow runs, and artifacts. Can be set to 'read' or 'write'."
   permission-administration:
     description: "The level of permission to grant the access token for repository creation, deletion, settings, teams, and collaborators creation. Can be set to 'read' or 'write'."
+  permission-artifact-metadata:
+    description: "The level of permission to grant the access token to create and retrieve build artifact metadata records. Can be set to 'read' or 'write'."
+  permission-attestations:
+    description: "The level of permission to create and retrieve the access token for repository attestations. Can be set to 'read' or 'write'."
   permission-checks:
     description: "The level of permission to grant the access token for checks on code. Can be set to 'read' or 'write'."
   permission-codespaces:
@@ -47,6 +51,8 @@ inputs:
     description: "The level of permission to grant the access token to manage Dependabot secrets. Can be set to 'read' or 'write'."
   permission-deployments:
     description: "The level of permission to grant the access token for deployments and deployment statuses. Can be set to 'read' or 'write'."
+  permission-discussions:
+    description: "The level of permission to grant the access token for discussions and related comments and labels. Can be set to 'read' or 'write'."
   permission-email-addresses:
     description: "The level of permission to grant the access token to manage the email addresses belonging to a user. Can be set to 'read' or 'write'."
   permission-enterprise-custom-properties-for-organizations:
@@ -65,6 +71,8 @@ inputs:
     description: "The level of permission to grant the access token for issues and related comments, assignees, labels, and milestones. Can be set to 'read' or 'write'."
   permission-members:
     description: "The level of permission to grant the access token for organization teams and members. Can be set to 'read' or 'write'."
+  permission-merge-queues:
+    description: "The level of permission to grant the access token to manage the merge queues for a repository. Can be set to 'read' or 'write'."
   permission-metadata:
     description: "The level of permission to grant the access token to search repositories, list collaborators, and access repository metadata. Can be set to 'read' or 'write'."
   permission-organization-administration:

dist/main.cjs

@@ -22964,30 +22964,37 @@ var isError = (value) => objectToString.call(value) === "[object Error]";
 var errorMessages = /* @__PURE__ */ new Set([
   "network error",
   // Chrome
-  "Failed to fetch",
-  // Chrome
   "NetworkError when attempting to fetch resource.",
   // Firefox
   "The Internet connection appears to be offline.",
   // Safari 16
-  "Load failed",
-  // Safari 17+
   "Network request failed",
   // `cross-fetch`
   "fetch failed",
   // Undici (Node.js)
-  "terminated"
+  "terminated",
   // Undici (Node.js)
+  " A network error occurred.",
+  // Bun (WebKit)
+  "Network connection lost"
+  // Cloudflare Workers (fetch)
 ]);
 function isNetworkError(error2) {
   const isValid = error2 && isError(error2) && error2.name === "TypeError" && typeof error2.message === "string";
   if (!isValid) {
     return false;
   }
-  if (error2.message === "Load failed") {
-    return error2.stack === void 0;
+  const { message, stack } = error2;
+  if (message === "Load failed") {
+    return stack === void 0 || "__sentry_captured__" in error2;
   }
-  return errorMessages.has(error2.message);
+  if (message.startsWith("error sending request for url")) {
+    return true;
+  }
+  if (message === "Failed to fetch" || message.startsWith("Failed to fetch (") && message.endsWith(")")) {
+    return true;
+  }
+  return errorMessages.has(message);
 }
 
 // node_modules/p-retry/index.js
@@ -23017,6 +23024,14 @@ function validateNumberOption(name, value, { min = 0, allowInfinity = false } =
     throw new TypeError(`Expected \`${name}\` to be \u2265 ${min}.`);
   }
 }
+function validateFunctionOption(name, value) {
+  if (value === void 0) {
+    return;
+  }
+  if (typeof value !== "function") {
+    throw new TypeError(`Expected \`${name}\` to be a function.`);
+  }
+}
 var AbortError = class extends Error {
   constructor(message) {
     super();
@@ -23044,6 +23059,26 @@ function calculateRemainingTime(start, max) {
   }
   return max - (performance.now() - start);
 }
+async function delayForRetry(delay, options) {
+  if (delay <= 0) {
+    return;
+  }
+  await new Promise((resolve2, reject) => {
+    const onAbort = () => {
+      clearTimeout(timeoutToken);
+      options.signal?.removeEventListener("abort", onAbort);
+      reject(options.signal.reason);
+    };
+    const timeoutToken = setTimeout(() => {
+      options.signal?.removeEventListener("abort", onAbort);
+      resolve2();
+    }, delay);
+    if (options.unref) {
+      timeoutToken.unref?.();
+    }
+    options.signal?.addEventListener("abort", onAbort, { once: true });
+  });
+}
 async function onAttemptFailure({ error: error2, attemptNumber, retriesConsumed, startTime, options }) {
   const normalizedError = error2 instanceof Error ? error2 : new TypeError(`Non-error was thrown: "${error2}". You should only throw errors.`);
   if (normalizedError instanceof AbortError) {
@@ -23051,55 +23086,60 @@ async function onAttemptFailure({ error: error2, attemptNumber, retriesConsumed,
   }
   const retriesLeft = Number.isFinite(options.retries) ? Math.max(0, options.retries - retriesConsumed) : options.retries;
   const maxRetryTime = options.maxRetryTime ?? Number.POSITIVE_INFINITY;
+  const delayTime = calculateDelay(retriesConsumed, options);
+  const remainingTimeBeforeCallbacks = calculateRemainingTime(startTime, maxRetryTime);
+  if (remainingTimeBeforeCallbacks <= 0) {
+    const context2 = Object.freeze({
+      error: normalizedError,
+      attemptNumber,
+      retriesLeft,
+      retriesConsumed,
+      retryDelay: 0
+    });
+    await options.onFailedAttempt(context2);
+    throw normalizedError;
+  }
+  const consumeRetryContext = Object.freeze({
+    error: normalizedError,
+    attemptNumber,
+    retriesLeft,
+    retriesConsumed,
+    retryDelay: retriesLeft > 0 ? delayTime : 0
+  });
+  const consumeRetry = await options.shouldConsumeRetry(consumeRetryContext);
+  const effectiveDelay = consumeRetry && retriesLeft > 0 ? delayTime : 0;
   const context = Object.freeze({
     error: normalizedError,
     attemptNumber,
     retriesLeft,
-    retriesConsumed
+    retriesConsumed,
+    retryDelay: effectiveDelay
   });
   await options.onFailedAttempt(context);
   if (calculateRemainingTime(startTime, maxRetryTime) <= 0) {
     throw normalizedError;
   }
-  const consumeRetry = await options.shouldConsumeRetry(context);
   const remainingTime = calculateRemainingTime(startTime, maxRetryTime);
   if (remainingTime <= 0 || retriesLeft <= 0) {
     throw normalizedError;
   }
   if (normalizedError instanceof TypeError && !isNetworkError(normalizedError)) {
-    if (consumeRetry) {
-      throw normalizedError;
-    }
-    options.signal?.throwIfAborted();
-    return false;
+    throw normalizedError;
   }
   if (!await options.shouldRetry(context)) {
     throw normalizedError;
   }
+  const remainingTimeAfterShouldRetry = calculateRemainingTime(startTime, maxRetryTime);
+  if (remainingTimeAfterShouldRetry <= 0) {
+    throw normalizedError;
+  }
   if (!consumeRetry) {
     options.signal?.throwIfAborted();
     return false;
   }
-  const delayTime = calculateDelay(retriesConsumed, options);
-  const finalDelay = Math.min(delayTime, remainingTime);
+  const finalDelay = Math.min(effectiveDelay, remainingTimeAfterShouldRetry);
   options.signal?.throwIfAborted();
-  if (finalDelay > 0) {
-    await new Promise((resolve2, reject) => {
-      const onAbort = () => {
-        clearTimeout(timeoutToken);
-        options.signal?.removeEventListener("abort", onAbort);
-        reject(options.signal.reason);
-      };
-      const timeoutToken = setTimeout(() => {
-        options.signal?.removeEventListener("abort", onAbort);
-        resolve2();
-      }, finalDelay);
-      if (options.unref) {
-        timeoutToken.unref?.();
-      }
-      options.signal?.addEventListener("abort", onAbort, { once: true });
-    });
-  }
+  await delayForRetry(finalDelay, options);
   options.signal?.throwIfAborted();
   return true;
 }
@@ -23119,6 +23159,9 @@ async function pRetry(input, options = {}) {
   };
   options.shouldRetry ??= () => true;
   options.shouldConsumeRetry ??= () => true;
+  validateFunctionOption("onFailedAttempt", options.onFailedAttempt);
+  validateFunctionOption("shouldRetry", options.shouldRetry);
+  validateFunctionOption("shouldConsumeRetry", options.shouldConsumeRetry);
   validateNumberOption("factor", options.factor, { min: 0, allowInfinity: false });
   validateNumberOption("minTimeout", options.minTimeout, { min: 0, allowInfinity: false });
   validateNumberOption("maxTimeout", options.maxTimeout, { min: 0, allowInfinity: true });
@@ -23309,7 +23352,7 @@ async function run() {
   ensureNativeProxySupport();
   const clientId = getInput("client-id") || getInput("app-id");
   if (!clientId) {
-    throw new Error("Either 'client-id' or 'app-id' input must be set");
+    throw new Error("The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.");
   }
   const privateKey = getInput("private-key");
   const owner = getInput("owner");

main.js

@@ -20,7 +20,7 @@ async function run() {
 
   const clientId = core.getInput("client-id") || core.getInput("app-id");
   if (!clientId) {
-    throw new Error("Either 'client-id' or 'app-id' input must be set");
+    throw new Error("The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.");
   }
   const privateKey = core.getInput("private-key");
   const owner = core.getInput("owner");

package.json

@@ -2,7 +2,7 @@
   "name": "create-github-app-token",
   "private": true,
   "type": "module",
-  "version": "3.0.0",
+  "version": "3.1.1",
   "description": "GitHub Action for creating a GitHub App Installation Access Token",
   "engines": {
     "node": ">=24.4.0"
@@ -19,42 +19,14 @@
     "@actions/core": "^3.0.0",
     "@octokit/auth-app": "^8.2.0",
     "@octokit/request": "^10.0.8",
-    "p-retry": "^7.1.1"
+    "p-retry": "^8.0.0"
   },
   "devDependencies": {
-    "@octokit/openapi": "^21.0.0",
-    "c8": "^10.1.3",
-    "esbuild": "^0.27.3",
-    "open-cli": "^8.0.0",
-    "undici": "^7.24.1",
-    "yaml": "^2.8.2"
-  },
-  "release": {
-    "branches": [
-      "+([0-9]).x",
-      "main",
-      {
-        "name": "beta",
-        "prerelease": true
-      }
-    ],
-    "plugins": [
-      "@semantic-release/commit-analyzer",
-      "@semantic-release/release-notes-generator",
-      "@semantic-release/github",
-      "@semantic-release/npm",
-      "semantic-release-plugin-github-breaking-version-tag",
-      [
-        "@semantic-release/git",
-        {
-          "assets": [
-            "package.json",
-            "package-lock.json",
-            "dist/*"
-          ],
-          "message": "build(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
-        }
-      ]
-    ]
+    "@octokit/openapi": "^22.0.0",
+    "c8": "^11.0.0",
+    "esbuild": "^0.27.4",
+    "open-cli": "^9.0.0",
+    "undici": "^7.24.6",
+    "yaml": "^2.8.3"
   }
 }

release-please-config.beta.json

@@ -0,0 +1,12 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "packages": {
+    ".": {
+      "prerelease": true,
+      "prerelease-type": "beta",
+      "include-component-in-tag": false,
+      "release-type": "node",
+      "versioning": "prerelease"
+    }
+  }
+}

release-please-config.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "packages": {
+    ".": {
+      "include-component-in-tag": false,
+      "release-type": "node"
+    }
+  }
+}

scripts/generated/app-permissions.json

@@ -19,6 +19,22 @@
         "write"
       ]
     },
+    "artifact_metadata": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to create and retrieve build artifact metadata records.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "attestations": {
+      "type": "string",
+      "description": "The level of permission to create and retrieve the access token for repository attestations.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
     "checks": {
       "type": "string",
       "description": "The level of permission to grant the access token for checks on code.",
@@ -59,6 +75,14 @@
         "write"
       ]
     },
+    "discussions": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for discussions and related comments and labels.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
     "environments": {
       "type": "string",
       "description": "The level of permission to grant the access token for managing repository environments.",
@@ -75,6 +99,14 @@
         "write"
       ]
     },
+    "merge_queues": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage the merge queues for a repository.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
     "metadata": {
       "type": "string",
       "description": "The level of permission to grant the access token to search repositories, list collaborators, and access repository metadata.",

tests/README.md

@@ -32,5 +32,5 @@ node --test --test-update-snapshots tests/index.js
 
 We have tests both for the `main.js` and `post.js` scripts.
 
-- If you do not expect an error, take [main-token-permissions-set.test.js](tests/main-token-permissions-set.test.js) as a starting point.
-- If your test has an expected error, take [main-missing-client-and-app-id.test.js](tests/main-missing-client-and-app-id.test.js) as a starting point.
+- If you do not expect an error, take [main-token-permissions-set.test.js](main-token-permissions-set.test.js) as a starting point.
+- If your test has an expected error, take [main-missing-client-and-app-id.test.js](main-missing-client-and-app-id.test.js) as a starting point.

tests/index.js.snapshot

@@ -2,7 +2,24 @@ exports[`action-deprecated-inputs.test.js > stdout 1`] = `
 app-id — Use 'client-id' instead.
 `;
 
-exports[`main-client-id.test.js > stdout 1`] = `
+exports[`main-app-id-fallback.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-client-id-precedence.test.js > stdout 1`] = `
 Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
 ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
 
@@ -39,16 +56,11 @@ POST /api/v3/app/installations/123456/access_tokens
 `;
 
 exports[`main-missing-client-and-app-id.test.js > stderr 1`] = `
-Error: Either 'client-id' or 'app-id' input must be set
-    at run (file:///home/runner/work/create-github-app-token/create-github-app-token/main.js:23:11)
-    at file:///home/runner/work/create-github-app-token/create-github-app-token/main.js:51:16
-    at ModuleJob.run (node:internal/modules/esm/module_job:430:25)
-    at async onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:661:26)
-    at async file:///home/runner/work/create-github-app-token/create-github-app-token/tests/main-missing-client-and-app-id.test.js:12:30
+The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.
 `;
 
 exports[`main-missing-client-and-app-id.test.js > stdout 1`] = `
-::error::Either 'client-id' or 'app-id' input must be set
+::error::The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.
 `;
 
 exports[`main-missing-owner.test.js > stderr 1`] = `

tests/main-app-id-fallback.test.js

@@ -0,0 +1,11 @@
+import { DEFAULT_ENV, test } from "./main.js";
+
+// Verify `main` falls back to `app-id` when `client-id` is not set
+await test(
+  () => {},
+  {
+    ...DEFAULT_ENV,
+    "INPUT_CLIENT-ID": "",
+    "INPUT_APP-ID": "123456",
+  }
+);

tests/main-client-id-precedence.test.js

@@ -1,11 +1,11 @@
 import { DEFAULT_ENV, test } from "./main.js";
 
-// Verify `main` accepts a GitHub App client ID via the `client-id` input
+// Verify `client-id` takes precedence when both `client-id` and `app-id` are set
 await test(
   () => {},
   {
     ...DEFAULT_ENV,
     "INPUT_CLIENT-ID": "Iv1.0123456789abcdef",
-    "INPUT_APP-ID": "",
+    "INPUT_APP-ID": "123456",
   }
 );

tests/main-missing-client-and-app-id.test.js

@@ -8,6 +8,12 @@ for (const [key, value] of Object.entries({
   process.env[key] = value;
 }
 
+// Log only the error message, not the full stack trace, because the stack
+// trace contains environment-specific paths and ANSI codes that differ
+// between local and CI environments.
+const _error = console.error;
+console.error = (err) => _error(err?.message ?? err);
+
 // Verify `main` exits with an error when neither `client-id` nor `app-id` is set.
 const { default: promise } = await import("../main.js");
 await promise;

tests/main.js

@@ -9,7 +9,7 @@ export const DEFAULT_ENV = {
   // https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
   "INPUT_GITHUB-API-URL": "https://api.github.com",
   "INPUT_SKIP-TOKEN-REVOKE": "false",
-  "INPUT_APP-ID": "123456",
+  "INPUT_CLIENT-ID": "Iv1.0123456789abcdef",
   // This key is invalidated. It’s from https://github.com/octokit/auth-app.js/issues/465#issuecomment-1564998327.
   "INPUT_PRIVATE-KEY": `-----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEA280nfuUM9w00Ib9E2rvZJ6Qu3Ua3IqR34ZlK53vn/Iobn2EL