build(release): 2.1.2 [skip ci]

## [2.1.2](https://github.com/actions/create-github-app-token/compare/v2.1.1...v2.1.2) (2025-09-12)

### Bug Fixes

* **deps:** bump @octokit/request from 9.2.3 to 10.0.2 ([#256](https://github.com/actions/create-github-app-token/issues/256)) ([5d7307b](https://github.com/actions/create-github-app-token/commit/5d7307be63501c0070c634b0ae8fec74e8208130))

.github/workflows/publish-immutable-action.yml

@@ -12,6 +12,6 @@ jobs:
       id-token: write
       packages: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Publish Immutable Action
         uses: actions/publish-immutable-action@v0.0.4

.github/workflows/release.yml

@@ -3,7 +3,9 @@ name: release
 on:
   push:
     branches:
+      - "*.x"
       - main
+      - beta
 
 permissions:
   contents: write
@@ -16,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # build local version to create token
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           persist-credentials: false
 

.github/workflows/test.yml

@@ -11,12 +11,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   integration:
     name: Integration
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: actions/setup-node@v4
         with:
@@ -32,7 +35,7 @@ jobs:
     # do not run from forks, as forks don’t have access to repository secrets
     if: github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-node@v4
         with:
           node-version: 20

.github/workflows/update-permission-inputs.yml

@@ -0,0 +1,33 @@
+name: Update Permission Inputs
+
+on:
+  pull_request:
+    paths:
+      - 'package.json'
+      - 'package-lock.json'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write
+
+jobs:
+  update-permission-inputs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: .node-version
+          cache: 'npm'
+      - name: Install dependencies
+        run: npm ci
+      - name: Run permission inputs update script
+        run: node scripts/update-permission-inputs.js
+      - name: Commit changes
+        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
+        with:
+          commit_message: 'feat: update permission inputs'

CONTRIBUTING.md

@@ -12,4 +12,4 @@ Run tests locally
 npm test
 ```
 
-Learn more about how the tests work in [test/README.md](test/README.md).
+Learn more about how the tests work in [tests/README.md](tests/README.md).

README.md

@@ -8,9 +8,9 @@ GitHub Action for creating a GitHub App installation access token.
 
 In order to use this action, you need to:
 
-1. [Register new GitHub App](https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app)
+1. [Register new GitHub App](https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app).
-2. [Store the App's ID in your repository environment variables](https://docs.github.com/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_ID`)
+2. [Store the App's ID or Client ID in your repository environment variables](https://docs.github.com/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_ID`).
-3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets?tool=webui#creating-encrypted-secrets-for-a-repository) (example: `PRIVATE_KEY`)
+3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets?tool=webui#creating-encrypted-secrets-for-a-repository) (example: `PRIVATE_KEY`).
 
 > [!IMPORTANT]  
 > An installation access token expires after 1 hour. Please [see this comment](https://github.com/actions/create-github-app-token/issues/121#issuecomment-2043214796) for alternative approaches if you have long-running processes.
@@ -28,7 +28,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -47,7 +47,7 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           # required
@@ -73,7 +73,7 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           # required
@@ -98,7 +98,7 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           # required
@@ -135,7 +135,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -157,7 +157,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -182,7 +182,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -207,7 +207,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -249,7 +249,7 @@ jobs:
         owners-and-repos: ${{ fromJson(needs.set-matrix.outputs.matrix) }}
 
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -279,7 +279,7 @@ jobs:
     steps:
       - name: Create GitHub App token
         id: create_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ vars.GHES_APP_ID }}
           private-key: ${{ secrets.GHES_APP_PRIVATE_KEY }}
@@ -318,7 +318,7 @@ steps:
       echo "private-key=$private_key" >> "$GITHUB_OUTPUT"
   - name: Generate GitHub App Token
     id: app-token
-    uses: actions/create-github-app-token@v1
+    uses: actions/create-github-app-token@v2
     with:
       app-id: ${{ vars.APP_ID }}
       private-key: ${{ steps.decode.outputs.private-key }}
@@ -343,7 +343,7 @@ The reason we define one `permision-<permission name>` input per permission is t
 
 ### `skip-token-revoke`
 
-**Optional:** If truthy, the token will not be revoked when the current job is complete.
+**Optional:** If true, the token will not be revoked when the current job is complete.
 
 ### `github-api-url`
 
@@ -370,7 +370,7 @@ The action creates an installation access token using [the `POST /app/installati
 1. The token is scoped to the current repository or `repositories` if set.
 2. The token inherits all the installation's permissions.
 3. The token is set as output `token` which can be used in subsequent steps.
-4. Unless the `skip-token-revoke` input is set to a truthy value, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
+4. Unless the `skip-token-revoke` input is set to true, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
 5. The token is masked, it cannot be logged accidentally.
 
 > [!NOTE]

action.yml

@@ -7,18 +7,10 @@ branding:
 inputs:
   app-id:
     description: "GitHub App ID"
-    required: false # TODO: When 'app_id' is removed, make 'app-id' required
+    required: true
-  app_id:
-    description: "GitHub App ID"
-    required: false
-    deprecationMessage: "'app_id' is deprecated and will be removed in a future version. Use 'app-id' instead."
   private-key:
     description: "GitHub App private key"
-    required: false # TODO: When 'private_key' is removed, make 'private-key' required
+    required: true
-  private_key:
-    description: "GitHub App private key"
-    required: false
-    deprecationMessage: "'private_key' is deprecated and will be removed in a future version. Use 'private-key' instead."
   owner:
     description: "The owner of the GitHub App installation (defaults to current repository owner)"
     required: false
@@ -26,12 +18,9 @@ inputs:
     description: "Comma or newline-separated list of repositories to install the GitHub App on (defaults to current repository if owner is unset)"
     required: false
   skip-token-revoke:
-    description: "If truthy, the token will not be revoked when the current job is complete"
+    description: "If true, the token will not be revoked when the current job is complete"
     required: false
-  skip_token_revoke:
+    default: "false"
-    description: "If truthy, the token will not be revoked when the current job is complete"
-    required: false
-    deprecationMessage: "'skip_token_revoke' is deprecated and will be removed in a future version. Use 'skip-token-revoke' instead."
   # Make GitHub API configurable to support non-GitHub Cloud use cases
   # see https://github.com/actions/create-github-app-token/issues/77
   github-api-url:
@@ -49,7 +38,7 @@ inputs:
   permission-contents:
     description: "The level of permission to grant the access token for repository contents, commits, branches, downloads, releases, and merges. Can be set to 'read' or 'write'."
   permission-dependabot-secrets:
-    description: "The leve of permission to grant the access token to manage Dependabot secrets. Can be set to 'read' or 'write'."
+    description: "The level of permission to grant the access token to manage Dependabot secrets. Can be set to 'read' or 'write'."
   permission-deployments:
     description: "The level of permission to grant the access token for deployments and deployment statuses. Can be set to 'read' or 'write'."
   permission-email-addresses:

badges/coverage.svg

@@ -1,25 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="106"
-    height="20" role="img" aria-label="Coverage: 100%">
-    <title>Coverage: 100%</title>
-    <linearGradient id="s" x2="0" y2="100%">
-        <stop offset="0" stop-color="#bbb" stop-opacity=".1" />
-        <stop offset="1" stop-opacity=".1" />
-    </linearGradient>
-    <clipPath id="r">
-        <rect width="106" height="20" rx="3" fill="#fff" />
-    </clipPath>
-    <g clip-path="url(#r)">
-        <rect width="63" height="20" fill="#555" />
-        <rect x="63" width="43" height="20" fill="#4c1" />
-        <rect width="106" height="20" fill="url(#s)" />
-    </g>
-    <g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif"
-        text-rendering="geometricPrecision" font-size="110">
-        <text aria-hidden="true" x="325" y="150" fill="#010101" fill-opacity=".3"
-            transform="scale(.1)" textLength="530">Coverage</text>
-        <text x="325" y="140" transform="scale(.1)" fill="#fff" textLength="530">Coverage</text>
-        <text aria-hidden="true" x="835" y="150" fill="#010101" fill-opacity=".3"
-            transform="scale(.1)" textLength="330">100%</text>
-        <text x="835" y="140" transform="scale(.1)" fill="#fff" textLength="330">100%</text>
-    </g>
-</svg>

dist/post.cjs

@@ -19963,6 +19963,237 @@ var require_symbols6 = __commonJS({
   }
 });
 
+// node_modules/undici/lib/util/timers.js
+var require_timers2 = __commonJS({
+  "node_modules/undici/lib/util/timers.js"(exports2, module2) {
+    "use strict";
+    var fastNow = 0;
+    var RESOLUTION_MS = 1e3;
+    var TICK_MS = (RESOLUTION_MS >> 1) - 1;
+    var fastNowTimeout;
+    var kFastTimer = Symbol("kFastTimer");
+    var fastTimers = [];
+    var NOT_IN_LIST = -2;
+    var TO_BE_CLEARED = -1;
+    var PENDING = 0;
+    var ACTIVE = 1;
+    function onTick() {
+      fastNow += TICK_MS;
+      let idx = 0;
+      let len = fastTimers.length;
+      while (idx < len) {
+        const timer = fastTimers[idx];
+        if (timer._state === PENDING) {
+          timer._idleStart = fastNow - TICK_MS;
+          timer._state = ACTIVE;
+        } else if (timer._state === ACTIVE && fastNow >= timer._idleStart + timer._idleTimeout) {
+          timer._state = TO_BE_CLEARED;
+          timer._idleStart = -1;
+          timer._onTimeout(timer._timerArg);
+        }
+        if (timer._state === TO_BE_CLEARED) {
+          timer._state = NOT_IN_LIST;
+          if (--len !== 0) {
+            fastTimers[idx] = fastTimers[len];
+          }
+        } else {
+          ++idx;
+        }
+      }
+      fastTimers.length = len;
+      if (fastTimers.length !== 0) {
+        refreshTimeout();
+      }
+    }
+    function refreshTimeout() {
+      if (fastNowTimeout) {
+        fastNowTimeout.refresh();
+      } else {
+        clearTimeout(fastNowTimeout);
+        fastNowTimeout = setTimeout(onTick, TICK_MS);
+        if (fastNowTimeout.unref) {
+          fastNowTimeout.unref();
+        }
+      }
+    }
+    var FastTimer = class {
+      [kFastTimer] = true;
+      /**
+       * The state of the timer, which can be one of the following:
+       * - NOT_IN_LIST (-2)
+       * - TO_BE_CLEARED (-1)
+       * - PENDING (0)
+       * - ACTIVE (1)
+       *
+       * @type {-2|-1|0|1}
+       * @private
+       */
+      _state = NOT_IN_LIST;
+      /**
+       * The number of milliseconds to wait before calling the callback.
+       *
+       * @type {number}
+       * @private
+       */
+      _idleTimeout = -1;
+      /**
+       * The time in milliseconds when the timer was started. This value is used to
+       * calculate when the timer should expire.
+       *
+       * @type {number}
+       * @default -1
+       * @private
+       */
+      _idleStart = -1;
+      /**
+       * The function to be executed when the timer expires.
+       * @type {Function}
+       * @private
+       */
+      _onTimeout;
+      /**
+       * The argument to be passed to the callback when the timer expires.
+       *
+       * @type {*}
+       * @private
+       */
+      _timerArg;
+      /**
+       * @constructor
+       * @param {Function} callback A function to be executed after the timer
+       * expires.
+       * @param {number} delay The time, in milliseconds that the timer should wait
+       * before the specified function or code is executed.
+       * @param {*} arg
+       */
+      constructor(callback, delay, arg) {
+        this._onTimeout = callback;
+        this._idleTimeout = delay;
+        this._timerArg = arg;
+        this.refresh();
+      }
+      /**
+       * Sets the timer's start time to the current time, and reschedules the timer
+       * to call its callback at the previously specified duration adjusted to the
+       * current time.
+       * Using this on a timer that has already called its callback will reactivate
+       * the timer.
+       *
+       * @returns {void}
+       */
+      refresh() {
+        if (this._state === NOT_IN_LIST) {
+          fastTimers.push(this);
+        }
+        if (!fastNowTimeout || fastTimers.length === 1) {
+          refreshTimeout();
+        }
+        this._state = PENDING;
+      }
+      /**
+       * The `clear` method cancels the timer, preventing it from executing.
+       *
+       * @returns {void}
+       * @private
+       */
+      clear() {
+        this._state = TO_BE_CLEARED;
+        this._idleStart = -1;
+      }
+    };
+    module2.exports = {
+      /**
+       * The setTimeout() method sets a timer which executes a function once the
+       * timer expires.
+       * @param {Function} callback A function to be executed after the timer
+       * expires.
+       * @param {number} delay The time, in milliseconds that the timer should
+       * wait before the specified function or code is executed.
+       * @param {*} [arg] An optional argument to be passed to the callback function
+       * when the timer expires.
+       * @returns {NodeJS.Timeout|FastTimer}
+       */
+      setTimeout(callback, delay, arg) {
+        return delay <= RESOLUTION_MS ? setTimeout(callback, delay, arg) : new FastTimer(callback, delay, arg);
+      },
+      /**
+       * The clearTimeout method cancels an instantiated Timer previously created
+       * by calling setTimeout.
+       *
+       * @param {NodeJS.Timeout|FastTimer} timeout
+       */
+      clearTimeout(timeout) {
+        if (timeout[kFastTimer]) {
+          timeout.clear();
+        } else {
+          clearTimeout(timeout);
+        }
+      },
+      /**
+       * The setFastTimeout() method sets a fastTimer which executes a function once
+       * the timer expires.
+       * @param {Function} callback A function to be executed after the timer
+       * expires.
+       * @param {number} delay The time, in milliseconds that the timer should
+       * wait before the specified function or code is executed.
+       * @param {*} [arg] An optional argument to be passed to the callback function
+       * when the timer expires.
+       * @returns {FastTimer}
+       */
+      setFastTimeout(callback, delay, arg) {
+        return new FastTimer(callback, delay, arg);
+      },
+      /**
+       * The clearTimeout method cancels an instantiated FastTimer previously
+       * created by calling setFastTimeout.
+       *
+       * @param {FastTimer} timeout
+       */
+      clearFastTimeout(timeout) {
+        timeout.clear();
+      },
+      /**
+       * The now method returns the value of the internal fast timer clock.
+       *
+       * @returns {number}
+       */
+      now() {
+        return fastNow;
+      },
+      /**
+       * Trigger the onTick function to process the fastTimers array.
+       * Exported for testing purposes only.
+       * Marking as deprecated to discourage any use outside of testing.
+       * @deprecated
+       * @param {number} [delay=0] The delay in milliseconds to add to the now value.
+       */
+      tick(delay = 0) {
+        fastNow += delay - RESOLUTION_MS + 1;
+        onTick();
+        onTick();
+      },
+      /**
+       * Reset FastTimers.
+       * Exported for testing purposes only.
+       * Marking as deprecated to discourage any use outside of testing.
+       * @deprecated
+       */
+      reset() {
+        fastNow = 0;
+        fastTimers.length = 0;
+        clearTimeout(fastNowTimeout);
+        fastNowTimeout = null;
+      },
+      /**
+       * Exporting for testing purposes only.
+       * Marking as deprecated to discourage any use outside of testing.
+       * @deprecated
+       */
+      kFastTimer
+    };
+  }
+});
+
 // node_modules/undici/lib/core/errors.js
 var require_errors2 = __commonJS({
   "node_modules/undici/lib/core/errors.js"(exports2, module2) {
@@ -20472,10 +20703,11 @@ var require_util8 = __commonJS({
     var nodeUtil = require("node:util");
     var { stringify } = require("node:querystring");
     var { EventEmitter: EE } = require("node:events");
-    var { InvalidArgumentError } = require_errors2();
+    var timers = require_timers2();
+    var { InvalidArgumentError, ConnectTimeoutError } = require_errors2();
     var { headerNameLowerCasedRecord } = require_constants6();
     var { tree } = require_tree();
-    var [nodeMajor, nodeMinor] = process.versions.node.split(".").map((v) => Number(v));
+    var [nodeMajor, nodeMinor] = process.versions.node.split(".", 2).map((v) => Number(v));
     var BodyAsyncIterable = class {
       constructor(body) {
         this[kBody] = body;
@@ -20487,6 +20719,8 @@ var require_util8 = __commonJS({
         yield* this[kBody];
       }
     };
+    function noop() {
+    }
     function wrapRequestBody(body) {
       if (isStream(body)) {
         if (bodyLength(body) === 0) {
@@ -20907,6 +21141,50 @@ var require_util8 = __commonJS({
         client.emit("error", err2);
       }
     }
+    var setupConnectTimeout = process.platform === "win32" ? (socketWeakRef, opts) => {
+      if (!opts.timeout) {
+        return noop;
+      }
+      let s1 = null;
+      let s2 = null;
+      const fastTimer = timers.setFastTimeout(() => {
+        s1 = setImmediate(() => {
+          s2 = setImmediate(() => onConnectTimeout(socketWeakRef.deref(), opts));
+        });
+      }, opts.timeout);
+      return () => {
+        timers.clearFastTimeout(fastTimer);
+        clearImmediate(s1);
+        clearImmediate(s2);
+      };
+    } : (socketWeakRef, opts) => {
+      if (!opts.timeout) {
+        return noop;
+      }
+      let s1 = null;
+      const fastTimer = timers.setFastTimeout(() => {
+        s1 = setImmediate(() => {
+          onConnectTimeout(socketWeakRef.deref(), opts);
+        });
+      }, opts.timeout);
+      return () => {
+        timers.clearFastTimeout(fastTimer);
+        clearImmediate(s1);
+      };
+    };
+    function onConnectTimeout(socket, opts) {
+      if (socket == null) {
+        return;
+      }
+      let message = "Connect Timeout Error";
+      if (Array.isArray(socket.autoSelectFamilyAttemptedAddresses)) {
+        message += ` (attempted addresses: ${socket.autoSelectFamilyAttemptedAddresses.join(", ")},`;
+      } else {
+        message += ` (attempted address: ${opts.hostname}:${opts.port},`;
+      }
+      message += ` timeout: ${opts.timeout}ms)`;
+      destroy(socket, new ConnectTimeoutError(message));
+    }
     var kEnumerableProperty = /* @__PURE__ */ Object.create(null);
     kEnumerableProperty.enumerable = true;
     var normalizedMethodRecordsBase = {
@@ -20973,7 +21251,8 @@ var require_util8 = __commonJS({
       nodeMajor,
       nodeMinor,
       safeHTTPMethods: Object.freeze(["GET", "HEAD", "OPTIONS", "TRACE"]),
-      wrapRequestBody
+      wrapRequestBody,
+      setupConnectTimeout
     };
   }
 });
@@ -21839,237 +22118,6 @@ var require_dispatcher_base2 = __commonJS({
   }
 });
 
-// node_modules/undici/lib/util/timers.js
-var require_timers2 = __commonJS({
-  "node_modules/undici/lib/util/timers.js"(exports2, module2) {
-    "use strict";
-    var fastNow = 0;
-    var RESOLUTION_MS = 1e3;
-    var TICK_MS = (RESOLUTION_MS >> 1) - 1;
-    var fastNowTimeout;
-    var kFastTimer = Symbol("kFastTimer");
-    var fastTimers = [];
-    var NOT_IN_LIST = -2;
-    var TO_BE_CLEARED = -1;
-    var PENDING = 0;
-    var ACTIVE = 1;
-    function onTick() {
-      fastNow += TICK_MS;
-      let idx = 0;
-      let len = fastTimers.length;
-      while (idx < len) {
-        const timer = fastTimers[idx];
-        if (timer._state === PENDING) {
-          timer._idleStart = fastNow - TICK_MS;
-          timer._state = ACTIVE;
-        } else if (timer._state === ACTIVE && fastNow >= timer._idleStart + timer._idleTimeout) {
-          timer._state = TO_BE_CLEARED;
-          timer._idleStart = -1;
-          timer._onTimeout(timer._timerArg);
-        }
-        if (timer._state === TO_BE_CLEARED) {
-          timer._state = NOT_IN_LIST;
-          if (--len !== 0) {
-            fastTimers[idx] = fastTimers[len];
-          }
-        } else {
-          ++idx;
-        }
-      }
-      fastTimers.length = len;
-      if (fastTimers.length !== 0) {
-        refreshTimeout();
-      }
-    }
-    function refreshTimeout() {
-      if (fastNowTimeout) {
-        fastNowTimeout.refresh();
-      } else {
-        clearTimeout(fastNowTimeout);
-        fastNowTimeout = setTimeout(onTick, TICK_MS);
-        if (fastNowTimeout.unref) {
-          fastNowTimeout.unref();
-        }
-      }
-    }
-    var FastTimer = class {
-      [kFastTimer] = true;
-      /**
-       * The state of the timer, which can be one of the following:
-       * - NOT_IN_LIST (-2)
-       * - TO_BE_CLEARED (-1)
-       * - PENDING (0)
-       * - ACTIVE (1)
-       *
-       * @type {-2|-1|0|1}
-       * @private
-       */
-      _state = NOT_IN_LIST;
-      /**
-       * The number of milliseconds to wait before calling the callback.
-       *
-       * @type {number}
-       * @private
-       */
-      _idleTimeout = -1;
-      /**
-       * The time in milliseconds when the timer was started. This value is used to
-       * calculate when the timer should expire.
-       *
-       * @type {number}
-       * @default -1
-       * @private
-       */
-      _idleStart = -1;
-      /**
-       * The function to be executed when the timer expires.
-       * @type {Function}
-       * @private
-       */
-      _onTimeout;
-      /**
-       * The argument to be passed to the callback when the timer expires.
-       *
-       * @type {*}
-       * @private
-       */
-      _timerArg;
-      /**
-       * @constructor
-       * @param {Function} callback A function to be executed after the timer
-       * expires.
-       * @param {number} delay The time, in milliseconds that the timer should wait
-       * before the specified function or code is executed.
-       * @param {*} arg
-       */
-      constructor(callback, delay, arg) {
-        this._onTimeout = callback;
-        this._idleTimeout = delay;
-        this._timerArg = arg;
-        this.refresh();
-      }
-      /**
-       * Sets the timer's start time to the current time, and reschedules the timer
-       * to call its callback at the previously specified duration adjusted to the
-       * current time.
-       * Using this on a timer that has already called its callback will reactivate
-       * the timer.
-       *
-       * @returns {void}
-       */
-      refresh() {
-        if (this._state === NOT_IN_LIST) {
-          fastTimers.push(this);
-        }
-        if (!fastNowTimeout || fastTimers.length === 1) {
-          refreshTimeout();
-        }
-        this._state = PENDING;
-      }
-      /**
-       * The `clear` method cancels the timer, preventing it from executing.
-       *
-       * @returns {void}
-       * @private
-       */
-      clear() {
-        this._state = TO_BE_CLEARED;
-        this._idleStart = -1;
-      }
-    };
-    module2.exports = {
-      /**
-       * The setTimeout() method sets a timer which executes a function once the
-       * timer expires.
-       * @param {Function} callback A function to be executed after the timer
-       * expires.
-       * @param {number} delay The time, in milliseconds that the timer should
-       * wait before the specified function or code is executed.
-       * @param {*} [arg] An optional argument to be passed to the callback function
-       * when the timer expires.
-       * @returns {NodeJS.Timeout|FastTimer}
-       */
-      setTimeout(callback, delay, arg) {
-        return delay <= RESOLUTION_MS ? setTimeout(callback, delay, arg) : new FastTimer(callback, delay, arg);
-      },
-      /**
-       * The clearTimeout method cancels an instantiated Timer previously created
-       * by calling setTimeout.
-       *
-       * @param {NodeJS.Timeout|FastTimer} timeout
-       */
-      clearTimeout(timeout) {
-        if (timeout[kFastTimer]) {
-          timeout.clear();
-        } else {
-          clearTimeout(timeout);
-        }
-      },
-      /**
-       * The setFastTimeout() method sets a fastTimer which executes a function once
-       * the timer expires.
-       * @param {Function} callback A function to be executed after the timer
-       * expires.
-       * @param {number} delay The time, in milliseconds that the timer should
-       * wait before the specified function or code is executed.
-       * @param {*} [arg] An optional argument to be passed to the callback function
-       * when the timer expires.
-       * @returns {FastTimer}
-       */
-      setFastTimeout(callback, delay, arg) {
-        return new FastTimer(callback, delay, arg);
-      },
-      /**
-       * The clearTimeout method cancels an instantiated FastTimer previously
-       * created by calling setFastTimeout.
-       *
-       * @param {FastTimer} timeout
-       */
-      clearFastTimeout(timeout) {
-        timeout.clear();
-      },
-      /**
-       * The now method returns the value of the internal fast timer clock.
-       *
-       * @returns {number}
-       */
-      now() {
-        return fastNow;
-      },
-      /**
-       * Trigger the onTick function to process the fastTimers array.
-       * Exported for testing purposes only.
-       * Marking as deprecated to discourage any use outside of testing.
-       * @deprecated
-       * @param {number} [delay=0] The delay in milliseconds to add to the now value.
-       */
-      tick(delay = 0) {
-        fastNow += delay - RESOLUTION_MS + 1;
-        onTick();
-        onTick();
-      },
-      /**
-       * Reset FastTimers.
-       * Exported for testing purposes only.
-       * Marking as deprecated to discourage any use outside of testing.
-       * @deprecated
-       */
-      reset() {
-        fastNow = 0;
-        fastTimers.length = 0;
-        clearTimeout(fastNowTimeout);
-        fastNowTimeout = null;
-      },
-      /**
-       * Exporting for testing purposes only.
-       * Marking as deprecated to discourage any use outside of testing.
-       * @deprecated
-       */
-      kFastTimer
-    };
-  }
-});
-
 // node_modules/undici/lib/core/connect.js
 var require_connect2 = __commonJS({
   "node_modules/undici/lib/core/connect.js"(exports2, module2) {
@@ -22077,10 +22125,7 @@ var require_connect2 = __commonJS({
     var net = require("node:net");
     var assert = require("node:assert");
     var util = require_util8();
-    var { InvalidArgumentError, ConnectTimeoutError } = require_errors2();
+    var { InvalidArgumentError } = require_errors2();
-    var timers = require_timers2();
-    function noop() {
-    }
     var tls;
     var SessionCache;
     if (global.FinalizationRegistry && !(process.env.NODE_V8_COVERAGE || process.env.UNDICI_NO_FG)) {
@@ -22157,7 +22202,6 @@ var require_connect2 = __commonJS({
             servername,
             session,
             localAddress,
-            // TODO(HTTP/2): Add support for h2c
             ALPNProtocols: allowH2 ? ["http/1.1", "h2"] : ["http/1.1"],
             socket: httpSocket,
             // upgrade socket connection
@@ -22183,7 +22227,7 @@ var require_connect2 = __commonJS({
           const keepAliveInitialDelay = options.keepAliveInitialDelay === void 0 ? 6e4 : options.keepAliveInitialDelay;
           socket.setKeepAlive(true, keepAliveInitialDelay);
         }
-        const clearConnectTimeout = setupConnectTimeout(new WeakRef(socket), { timeout, hostname, port });
+        const clearConnectTimeout = util.setupConnectTimeout(new WeakRef(socket), { timeout, hostname, port });
         socket.setNoDelay(true).once(protocol === "https:" ? "secureConnect" : "connect", function() {
           queueMicrotask(clearConnectTimeout);
           if (callback) {
@@ -22202,50 +22246,6 @@ var require_connect2 = __commonJS({
         return socket;
       };
     }
-    var setupConnectTimeout = process.platform === "win32" ? (socketWeakRef, opts) => {
-      if (!opts.timeout) {
-        return noop;
-      }
-      let s1 = null;
-      let s2 = null;
-      const fastTimer = timers.setFastTimeout(() => {
-        s1 = setImmediate(() => {
-          s2 = setImmediate(() => onConnectTimeout(socketWeakRef.deref(), opts));
-        });
-      }, opts.timeout);
-      return () => {
-        timers.clearFastTimeout(fastTimer);
-        clearImmediate(s1);
-        clearImmediate(s2);
-      };
-    } : (socketWeakRef, opts) => {
-      if (!opts.timeout) {
-        return noop;
-      }
-      let s1 = null;
-      const fastTimer = timers.setFastTimeout(() => {
-        s1 = setImmediate(() => {
-          onConnectTimeout(socketWeakRef.deref(), opts);
-        });
-      }, opts.timeout);
-      return () => {
-        timers.clearFastTimeout(fastTimer);
-        clearImmediate(s1);
-      };
-    };
-    function onConnectTimeout(socket, opts) {
-      if (socket == null) {
-        return;
-      }
-      let message = "Connect Timeout Error";
-      if (Array.isArray(socket.autoSelectFamilyAttemptedAddresses)) {
-        message += ` (attempted addresses: ${socket.autoSelectFamilyAttemptedAddresses.join(", ")},`;
-      } else {
-        message += ` (attempted address: ${opts.hostname}:${opts.port},`;
-      }
-      message += ` timeout: ${opts.timeout}ms)`;
-      util.destroy(socket, new ConnectTimeoutError(message));
-    }
     module2.exports = buildConnector;
   }
 });
@@ -26929,6 +26929,7 @@ var require_client_h2 = __commonJS({
       }
       assert(client[kRunning] === 0);
       client.emit("disconnect", client[kUrl], [client], err);
+      client.emit("connectionError", client[kUrl], [client], err);
       client[kResume]();
     }
     function onHttp2SessionClose() {
@@ -29013,6 +29014,101 @@ var require_retry_agent = __commonJS({
   }
 });
 
+// node_modules/undici/lib/dispatcher/h2c-client.js
+var require_h2c_client = __commonJS({
+  "node_modules/undici/lib/dispatcher/h2c-client.js"(exports2, module2) {
+    "use strict";
+    var { connect } = require("node:net");
+    var { kClose, kDestroy } = require_symbols6();
+    var { InvalidArgumentError } = require_errors2();
+    var util = require_util8();
+    var Client = require_client2();
+    var DispatcherBase = require_dispatcher_base2();
+    var H2CClient = class extends DispatcherBase {
+      #client = null;
+      constructor(origin, clientOpts) {
+        super();
+        if (typeof origin === "string") {
+          origin = new URL(origin);
+        }
+        if (origin.protocol !== "http:") {
+          throw new InvalidArgumentError(
+            "h2c-client: Only h2c protocol is supported"
+          );
+        }
+        const { connect: connect2, maxConcurrentStreams, pipelining, ...opts } = clientOpts ?? {};
+        let defaultMaxConcurrentStreams = 100;
+        let defaultPipelining = 100;
+        if (maxConcurrentStreams != null && Number.isInteger(maxConcurrentStreams) && maxConcurrentStreams > 0) {
+          defaultMaxConcurrentStreams = maxConcurrentStreams;
+        }
+        if (pipelining != null && Number.isInteger(pipelining) && pipelining > 0) {
+          defaultPipelining = pipelining;
+        }
+        if (defaultPipelining > defaultMaxConcurrentStreams) {
+          throw new InvalidArgumentError(
+            "h2c-client: pipelining cannot be greater than maxConcurrentStreams"
+          );
+        }
+        this.#client = new Client(origin, {
+          ...opts,
+          connect: this.#buildConnector(connect2),
+          maxConcurrentStreams: defaultMaxConcurrentStreams,
+          pipelining: defaultPipelining,
+          allowH2: true
+        });
+      }
+      #buildConnector(connectOpts) {
+        return (opts, callback) => {
+          const timeout = connectOpts?.connectOpts ?? 1e4;
+          const { hostname, port, pathname } = opts;
+          const socket = connect({
+            ...opts,
+            host: hostname,
+            port,
+            pathname
+          });
+          if (opts.keepAlive == null || opts.keepAlive) {
+            const keepAliveInitialDelay = opts.keepAliveInitialDelay == null ? 6e4 : opts.keepAliveInitialDelay;
+            socket.setKeepAlive(true, keepAliveInitialDelay);
+          }
+          socket.alpnProtocol = "h2";
+          const clearConnectTimeout = util.setupConnectTimeout(
+            new WeakRef(socket),
+            { timeout, hostname, port }
+          );
+          socket.setNoDelay(true).once("connect", function() {
+            queueMicrotask(clearConnectTimeout);
+            if (callback) {
+              const cb = callback;
+              callback = null;
+              cb(null, this);
+            }
+          }).on("error", function(err) {
+            queueMicrotask(clearConnectTimeout);
+            if (callback) {
+              const cb = callback;
+              callback = null;
+              cb(err);
+            }
+          });
+          return socket;
+        };
+      }
+      dispatch(opts, handler) {
+        return this.#client.dispatch(opts, handler);
+      }
+      async [kClose]() {
+        await this.#client.close();
+      }
+      async [kDestroy]() {
+        await this.#client.destroy();
+      }
+    };
+    module2.exports = H2CClient;
+  }
+});
+
 // node_modules/undici/lib/api/readable.js
 var require_readable2 = __commonJS({
   "node_modules/undici/lib/api/readable.js"(exports2, module2) {
@@ -30334,7 +30430,7 @@ var require_mock_utils2 = __commonJS({
       if (typeof path !== "string") {
         return path;
       }
-      const pathSegments = path.split("?");
+      const pathSegments = path.split("?", 3);
       if (pathSegments.length !== 2) {
         return path;
       }
@@ -32054,6 +32150,15 @@ var require_cache2 = __commonJS({
       if (!opts.origin) {
         throw new Error("opts.origin is undefined");
       }
+      const headers = normaliseHeaders(opts);
+      return {
+        origin: opts.origin.toString(),
+        method: opts.method,
+        path: opts.path,
+        headers
+      };
+    }
+    function normaliseHeaders(opts) {
       let headers;
       if (opts.headers == null) {
         headers = {};
@@ -32077,12 +32182,7 @@ var require_cache2 = __commonJS({
       } else {
         throw new Error("opts.headers is not an object");
       }
-      return {
+      return headers;
-        origin: opts.origin.toString(),
-        method: opts.method,
-        path: opts.path,
-        headers
-      };
     }
     function assertCacheKey(key) {
       if (typeof key !== "object") {
@@ -32275,6 +32375,7 @@ var require_cache2 = __commonJS({
     }
     module2.exports = {
       makeCacheKey,
+      normaliseHeaders,
       assertCacheKey,
       assertCacheValue,
       parseCacheControlHeader,
@@ -32999,7 +33100,7 @@ var require_cache3 = __commonJS({
     var CacheHandler = require_cache_handler();
     var MemoryCacheStore = require_memory_cache_store();
     var CacheRevalidationHandler = require_cache_revalidation_handler();
-    var { assertCacheStore, assertCacheMethods, makeCacheKey, parseCacheControlHeader } = require_cache2();
+    var { assertCacheStore, assertCacheMethods, makeCacheKey, normaliseHeaders, parseCacheControlHeader } = require_cache2();
     var { AbortError } = require_errors2();
     function needsRevalidation(result, cacheControlDirectives) {
       if (cacheControlDirectives?.["no-cache"]) {
@@ -33127,7 +33228,7 @@ var require_cache3 = __commonJS({
           withinStaleIfErrorThreshold = now < result.staleAt + staleIfErrorExpiry * 1e3;
         }
         let headers = {
-          ...opts.headers,
+          ...normaliseHeaders(opts),
           "if-modified-since": new Date(result.cachedAt).toUTCString()
         };
         if (result.etag) {
@@ -33303,6 +33404,11 @@ var require_sqlite_cache_store = __commonJS({
         }
         this.#db = new DatabaseSync(opts?.location ?? ":memory:");
         this.#db.exec(`
+      PRAGMA journal_mode = WAL;
+      PRAGMA synchronous = NORMAL;
+      PRAGMA temp_store = memory;
+      PRAGMA optimize;
+
       CREATE TABLE IF NOT EXISTS cacheInterceptorV${VERSION3} (
         -- Data specific to us
         id INTEGER PRIMARY KEY AUTOINCREMENT,
@@ -33322,9 +33428,8 @@ var require_sqlite_cache_store = __commonJS({
         staleAt INTEGER NOT NULL
       );
 
-      CREATE INDEX IF NOT EXISTS idx_cacheInterceptorV${VERSION3}_url ON cacheInterceptorV${VERSION3}(url);
+      CREATE INDEX IF NOT EXISTS idx_cacheInterceptorV${VERSION3}_getValuesQuery ON cacheInterceptorV${VERSION3}(url, method, deleteAt);
-      CREATE INDEX IF NOT EXISTS idx_cacheInterceptorV${VERSION3}_method ON cacheInterceptorV${VERSION3}(method);
+      CREATE INDEX IF NOT EXISTS idx_cacheInterceptorV${VERSION3}_deleteByUrlQuery ON cacheInterceptorV${VERSION3}(deleteAt);
-      CREATE INDEX IF NOT EXISTS idx_cacheInterceptorV${VERSION3}_deleteAt ON cacheInterceptorV${VERSION3}(deleteAt);
     `);
         this.#getValuesQuery = this.#db.prepare(`
       SELECT
@@ -33501,7 +33606,7 @@ var require_sqlite_cache_store = __commonJS({
         this.#deleteByUrlQuery.run(this.#makeValueUrl(key));
       }
       #prune() {
-        if (this.size <= this.#maxCount) {
+        if (Number.isFinite(this.#maxCount) && this.size <= this.#maxCount) {
           return 0;
         }
         {
@@ -35445,7 +35550,10 @@ var require_fetch2 = __commonJS({
         originalURL.href,
         initiatorType,
         globalThis,
-        cacheState
+        cacheState,
+        "",
+        // bodyType
+        response.status
       );
     }
     var markResourceTiming = performance.markResourceTiming;
@@ -35739,7 +35847,7 @@ var require_fetch2 = __commonJS({
           fetchParams.controller.fullTimingInfo = timingInfo;
         }
         fetchParams.controller.reportTimingSteps = () => {
-          if (fetchParams.request.url.protocol !== "https:") {
+          if (!urlIsHttpHttpsScheme(fetchParams.request.url)) {
             return;
           }
           timingInfo.endTime = unsafeEndTime;
@@ -37874,7 +37982,7 @@ var require_util12 = __commonJS({
       const extensionList = /* @__PURE__ */ new Map();
       while (position.position < extensions.length) {
         const pair = collectASequenceOfCodePointsFast(";", extensions, position);
-        const [name, value = ""] = pair.split("=");
+        const [name, value = ""] = pair.split("=", 2);
         extensionList.set(
           removeHTTPWhitespace(name, true, false),
           removeHTTPWhitespace(value, false, true)
@@ -40058,6 +40166,7 @@ var require_undici2 = __commonJS({
     var ProxyAgent2 = require_proxy_agent2();
     var EnvHttpProxyAgent = require_env_http_proxy_agent();
     var RetryAgent = require_retry_agent();
+    var H2CClient = require_h2c_client();
     var errors = require_errors2();
     var util = require_util8();
     var { InvalidArgumentError } = errors;
@@ -40081,6 +40190,7 @@ var require_undici2 = __commonJS({
     module2.exports.ProxyAgent = ProxyAgent2;
     module2.exports.EnvHttpProxyAgent = EnvHttpProxyAgent;
     module2.exports.RetryAgent = RetryAgent;
+    module2.exports.H2CClient = H2CClient;
     module2.exports.RetryHandler = RetryHandler;
     module2.exports.DecoratorHandler = DecoratorHandler;
     module2.exports.RedirectHandler = RedirectHandler;
@@ -40202,9 +40312,7 @@ var import_core2 = __toESM(require_core(), 1);
 
 // lib/post.js
 async function post(core3, request2) {
-  const skipTokenRevoke = Boolean(
+  const skipTokenRevoke = core3.getBooleanInput("skip-token-revoke");
-    core3.getInput("skip-token-revoke") || core3.getInput("skip_token_revoke")
-  );
   if (skipTokenRevoke) {
     core3.info("Token revocation was skipped");
     return;
@@ -40227,9 +40335,7 @@ async function post(core3, request2) {
     });
     core3.info("Token revoked");
   } catch (error) {
-    core3.warning(
+    core3.warning(`Token revocation failed: ${error.message}`);
-      `Token revocation failed: ${error.message}`
-    );
   }
 }
 function tokenExpiresIn(expiresAt) {
@@ -40568,7 +40674,7 @@ var endpoint = withDefaults(null, DEFAULTS);
 // node_modules/@octokit/request/dist-bundle/index.js
 var import_fast_content_type_parse = __toESM(require_fast_content_type_parse(), 1);
 
-// node_modules/@octokit/request-error/dist-src/index.js
+// node_modules/@octokit/request/node_modules/@octokit/request-error/dist-src/index.js
 var RequestError = class extends Error {
   name;
   /**
@@ -40608,7 +40714,7 @@ var RequestError = class extends Error {
 };
 
 // node_modules/@octokit/request/dist-bundle/index.js
-var VERSION2 = "0.0.0-development";
+var VERSION2 = "10.0.3";
 var defaults_default = {
   headers: {
     "user-agent": `octokit-request.js/${VERSION2} ${getUserAgent()}`
@@ -40815,14 +40921,10 @@ post(import_core2.default, request_default).catch((error) => {
 /*! Bundled license information:
 
 undici/lib/fetch/body.js:
-  (*! formdata-polyfill. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> *)
-
-undici/lib/websocket/frame.js:
-  (*! ws. MIT License. Einar Otto Stangvik <einaros@gmail.com> *)
-
 undici/lib/web/fetch/body.js:
   (*! formdata-polyfill. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> *)
 
+undici/lib/websocket/frame.js:
 undici/lib/web/websocket/frame.js:
   (*! ws. MIT License. Einar Otto Stangvik <einaros@gmail.com> *)
 */

lib/get-permissions-from-inputs.js

@@ -7,9 +7,13 @@
  */
 export function getPermissionsFromInputs(env) {
   return Object.entries(env).reduce((permissions, [key, value]) => {
-    if (!key.startsWith("INPUT_PERMISSION_")) return permissions;
+    if (!key.startsWith("INPUT_PERMISSION-")) return permissions;
+    if (!value) return permissions;
 
-    const permission = key.slice("INPUT_PERMISSION_".length).toLowerCase();
+    const permission = key.slice("INPUT_PERMISSION-".length).toLowerCase()
+      .replaceAll(/-/g, "_");
+
+    // Inherit app permissions if no permissions inputs are set
     if (permissions === undefined) {
       return { [permission]: value };
     }

lib/main.js

@@ -21,7 +21,7 @@ export async function main(
   core,
   createAppAuth,
   request,
-  skipTokenRevoke,
+  skipTokenRevoke
 ) {
   let parsedOwner = "";
   let parsedRepositoryNames = [];
@@ -33,7 +33,7 @@ export async function main(
     parsedRepositoryNames = [repo];
 
     core.info(
-      `owner and repositories not set, creating token for the current repository ("${repo}")`,
+      `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (${owner}/${repo}).`
     );
   }
 
@@ -42,7 +42,7 @@ export async function main(
     parsedOwner = owner;
 
     core.info(
-      `repositories not set, creating token for all repositories for given owner "${owner}"`,
+      `Input 'repositories' is not set. Creating token for all repositories owned by ${owner}.`
     );
   }
 
@@ -52,9 +52,9 @@ export async function main(
     parsedRepositoryNames = repositories;
 
     core.info(
-      `owner not set, creating owner for given repositories "${repositories.join(
+      `No 'owner' input provided. Using default owner '${parsedOwner}' to create token for the following repositories:${repositories
-        ",",
+        .map((repo) => `\n- ${parsedOwner}/${repo}`)
-      )}" in current owner ("${parsedOwner}")`,
+        .join("")}`
     );
   }
 
@@ -64,9 +64,8 @@ export async function main(
     parsedRepositoryNames = repositories;
 
     core.info(
-      `owner and repositories set, creating token for repositories "${repositories.join(
+      `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
-        ",",
+      ${repositories.map((repo) => `\n- ${parsedOwner}/${repo}`).join("")}`
-      )}" owned by "${owner}"`,
     );
   }
 
@@ -87,18 +86,19 @@ export async function main(
           auth,
           parsedOwner,
           parsedRepositoryNames,
-          permissions,
+          permissions
         ),
       {
+        shouldRetry: (error) => error.status >= 500,
         onFailedAttempt: (error) => {
           core.info(
             `Failed to create token for "${parsedRepositoryNames.join(
-              ",",
+              ","
-            )}" (attempt ${error.attemptNumber}): ${error.message}`,
+            )}" (attempt ${error.attemptNumber}): ${error.message}`
           );
         },
         retries: 3,
-      },
+      }
     ));
   } else {
     // Otherwise get the installation for the owner, which can either be an organization or a user account
@@ -107,11 +107,11 @@ export async function main(
       {
         onFailedAttempt: (error) => {
           core.info(
-            `Failed to create token for "${parsedOwner}" (attempt ${error.attemptNumber}): ${error.message}`,
+            `Failed to create token for "${parsedOwner}" (attempt ${error.attemptNumber}): ${error.message}`
           );
         },
         retries: 3,
-      },
+      }
     ));
   }
 
@@ -157,7 +157,7 @@ async function getTokenFromRepository(
   auth,
   parsedOwner,
   parsedRepositoryNames,
-  permissions,
+  permissions
 ) {
   // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
   const response = await request("GET /repos/{owner}/{repo}/installation", {

lib/post.js

@@ -5,9 +5,7 @@
  * @param {import("@octokit/request").request} request
  */
 export async function post(core, request) {
-  const skipTokenRevoke = Boolean(
+  const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
-    core.getInput("skip-token-revoke") || core.getInput("skip_token_revoke")
-  );
 
   if (skipTokenRevoke) {
     core.info("Token revocation was skipped");
@@ -35,8 +33,7 @@ export async function post(core, request) {
     });
     core.info("Token revoked");
   } catch (error) {
-    core.warning(
+    core.warning(`Token revocation failed: ${error.message}`);
-      `Token revocation failed: ${error.message}`)
   }
 }
 

main.js

@@ -3,9 +3,9 @@
 import core from "@actions/core";
 import { createAppAuth } from "@octokit/auth-app";
 
+import { getPermissionsFromInputs } from "./lib/get-permissions-from-inputs.js";
 import { main } from "./lib/main.js";
 import request from "./lib/request.js";
-import { getPermissionsFromInputs } from "./lib/get-permissions-from-inputs.js";
 
 if (!process.env.GITHUB_REPOSITORY) {
   throw new Error("GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'");
@@ -15,16 +15,8 @@ if (!process.env.GITHUB_REPOSITORY_OWNER) {
   throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
 }
 
-const appId = core.getInput("app-id") || core.getInput("app_id");
+const appId = core.getInput("app-id");
-if (!appId) {
+const privateKey = core.getInput("private-key");
-  // The 'app_id' input was previously required, but it and 'app-id' are both optional now, until the former is removed. Still, we want to ensure that at least one of them is set.
-  throw new Error("Input required and not supplied: app-id");
-}
-const privateKey = core.getInput("private-key") || core.getInput("private_key");
-if (!privateKey) {
-  // The 'private_key' input was previously required, but it and 'private-key' are both optional now, until the former is removed. Still, we want to ensure that at least one of them is set.
-  throw new Error("Input required and not supplied: private-key");
-}
 const owner = core.getInput("owner");
 const repositories = core
   .getInput("repositories")
@@ -32,9 +24,7 @@ const repositories = core
   .map((s) => s.trim())
   .filter((x) => x !== "");
 
-const skipTokenRevoke = Boolean(
+const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
-  core.getInput("skip-token-revoke") || core.getInput("skip_token_revoke"),
-);
 
 const permissions = getPermissionsFromInputs(process.env);
 

package.json

@@ -2,7 +2,7 @@
   "name": "create-github-app-token",
   "private": true,
   "type": "module",
-  "version": "1.12.0",
+  "version": "2.1.2",
   "description": "GitHub Action for creating a GitHub App Installation Access Token",
   "scripts": {
     "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0 --packages=bundle",
@@ -13,26 +13,30 @@
   "license": "MIT",
   "dependencies": {
     "@actions/core": "^1.11.1",
-    "@octokit/auth-app": "^7.1.5",
+    "@octokit/auth-app": "^7.2.1",
-    "@octokit/request": "^9.2.2",
+    "@octokit/request": "^10.0.3",
     "p-retry": "^6.2.1",
-    "undici": "^7.5.0"
+    "undici": "^7.8.0"
   },
   "devDependencies": {
-    "@octokit/openapi": "^18.0.0",
+    "@octokit/openapi": "^19.1.0",
     "@sinonjs/fake-timers": "^14.0.0",
-    "ava": "^6.2.0",
+    "ava": "^6.4.1",
     "c8": "^10.1.3",
-    "dotenv": "^16.4.7",
+    "dotenv": "^17.2.1",
-    "esbuild": "^0.25.0",
+    "esbuild": "^0.25.8",
-    "execa": "^9.5.2",
+    "execa": "^9.6.0",
     "open-cli": "^8.0.0",
-    "yaml": "^2.7.0"
+    "yaml": "^2.8.1"
   },
   "release": {
     "branches": [
       "+([0-9]).x",
-      "main"
+      "main",
+      {
+        "name": "beta",
+        "prerelease": true
+      }
     ],
     "plugins": [
       "@semantic-release/commit-analyzer",
@@ -45,6 +49,7 @@
         {
           "assets": [
             "package.json",
+            "package-lock.json",
             "dist/*"
           ],
           "message": "build(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"

scripts/generated/app-permissions.json

@@ -45,7 +45,7 @@
     },
     "dependabot_secrets": {
       "type": "string",
-      "description": "The leve of permission to grant the access token to manage Dependabot secrets.",
+      "description": "The level of permission to grant the access token to manage Dependabot secrets.",
       "enum": [
         "read",
         "write"

tests/main-missing-app-id.test.js

@@ -1,9 +0,0 @@
-process.env.GITHUB_REPOSITORY_OWNER = "actions";
-process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
-
-// Verify `main` exits with an error when neither the `app-id` nor `app_id` input is set.
-try {
-  await import("../main.js");
-} catch (error) {
-  console.error(error.message);
-}

tests/main-missing-private-key.test.js

@@ -1,10 +0,0 @@
-process.env.GITHUB_REPOSITORY_OWNER = "actions";
-process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
-process.env["INPUT_APP-ID"] = "123456";
-
-// Verify `main` exits with an error when neither the `private-key` nor `private_key` input is set.
-try {
-  await import("../main.js");
-} catch (error) {
-  console.error(error.message);
-}

tests/main-token-permissions-set.test.js

@@ -2,6 +2,6 @@ import { test } from "./main.js";
 
 // Verify `main` successfully sets permissions
 await test(() => {
-  process.env.INPUT_PERMISSION_ISSUES = `write`;
+  process.env["INPUT_PERMISSION-ISSUES"] = `write`;
-  process.env.INPUT_PERMISSION_PULL_REQUESTS = `read`;
+  process.env["INPUT_PERMISSION-PULL-REQUESTS"] = `read`;
 });

tests/main.js

@@ -8,6 +8,7 @@ export const DEFAULT_ENV = {
   // inputs are set as environment variables with the prefix INPUT_
   // https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
   "INPUT_GITHUB-API-URL": "https://api.github.com",
+  "INPUT_SKIP-TOKEN-REVOKE": "false",
   "INPUT_APP-ID": "123456",
   // This key is invalidated. It’s from https://github.com/octokit/auth-app.js/issues/465#issuecomment-1564998327.
   "INPUT_PRIVATE-KEY": `-----BEGIN RSA PRIVATE KEY-----
@@ -37,6 +38,8 @@ so0tiQKBgGQXZaxaXhYUcxYHuCkQ3V4Vsj3ezlM92xXlP32SGFm3KgFhYy9kATxw
 Cax1ytZzvlrKLQyQFVK1COs2rHt7W4cJ7op7C8zXfsigXCiejnS664oAuX8sQZID
 x3WQZRiXlWejSMUAHuMwXrhGlltF3lw83+xAjnqsVp75kGS6OH61
 -----END RSA PRIVATE KEY-----`,
+  // The Actions runner sets all inputs to empty strings if not set.
+  "INPUT_PERMISSION-ADMINISTRATION": "",
 };
 
 export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
@@ -60,7 +63,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
   const owner = env.INPUT_OWNER ?? env.GITHUB_REPOSITORY_OWNER;
   const currentRepoName = env.GITHUB_REPOSITORY.split("/")[1];
   const repo = encodeURIComponent(
-    (env.INPUT_REPOSITORIES ?? currentRepoName).split(",")[0],
+    (env.INPUT_REPOSITORIES ?? currentRepoName).split(",")[0]
   );
 
   mockPool
@@ -76,7 +79,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
     .reply(
       200,
       { id: mockInstallationId, app_slug: mockAppSlug },
-      { headers: { "content-type": "application/json" } },
+      { headers: { "content-type": "application/json" } }
     );
 
   // Mock installation access token request
@@ -97,7 +100,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
     .reply(
       201,
       { token: mockInstallationAccessToken, expires_at: mockExpiresAt },
-      { headers: { "content-type": "application/json" } },
+      { headers: { "content-type": "application/json" } }
     );
 
   // Run the callback

tests/post-revoke-token-fail-response.test.js

@@ -7,6 +7,7 @@ process.env.STATE_token = "secret123";
 // inputs are set as environment variables with the prefix INPUT_
 // https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
 process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
 
 // 1 hour in the future, not expired
 process.env.STATE_expiresAt = new Date(

tests/post-token-expired.test.js

@@ -7,6 +7,10 @@ process.env.STATE_token = "secret123";
 // 1 hour in the past, expired
 process.env.STATE_expiresAt = new Date(Date.now() - 1000 * 60 * 60).toISOString();
 
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
+
 const mockAgent = new MockAgent();
 
 setGlobalDispatcher(mockAgent);

tests/post-token-set.test.js

@@ -7,6 +7,7 @@ process.env.STATE_token = "secret123";
 // inputs are set as environment variables with the prefix INPUT_
 // https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
 process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
 
 // 1 hour in the future, not expired
 process.env.STATE_expiresAt = new Date(Date.now() + 1000 * 60 * 60).toISOString();

tests/post-token-unset.test.js

@@ -2,4 +2,8 @@
 // https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
 delete process.env.STATE_token;
 
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
+
 await import("../post.js");

tests/snapshots/index.js.md

@@ -12,9 +12,7 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `app_id — 'app_id' is deprecated and will be removed in a future version. Use 'app-id' instead.␊
+    ''
-    private_key — 'private_key' is deprecated and will be removed in a future version. Use 'private-key' instead.␊
-    skip_token_revoke — 'skip_token_revoke' is deprecated and will be removed in a future version. Use 'skip-token-revoke' instead.`
 
 ## main-custom-github-api-url.test.js
 
@@ -24,7 +22,9 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `owner and repositories set, creating token for repositories "create-github-app-token" owned by "actions"␊
+    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
+          ␊
+    - actions/create-github-app-token␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
@@ -39,16 +39,6 @@ Generated by [AVA](https://avajs.dev).
     POST /api/v3/app/installations/123456/access_tokens␊
     {"repositories":["create-github-app-token"]}`
 
-## main-missing-app-id.test.js
-
-> stderr
-
-    'Input required and not supplied: app-id'
-
-> stdout
-
-    ''
-
 ## main-missing-owner.test.js
 
 > stderr
@@ -59,16 +49,6 @@ Generated by [AVA](https://avajs.dev).
 
     ''
 
-## main-missing-private-key.test.js
-
-> stderr
-
-    'Input required and not supplied: private-key'
-
-> stdout
-
-    ''
-
 ## main-missing-repository.test.js
 
 > stderr
@@ -87,7 +67,7 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `owner and repositories not set, creating token for the current repository ("create-github-app-token")␊
+    `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
@@ -111,7 +91,9 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `owner and repositories set, creating token for repositories "failed-repo" owned by "actions"␊
+    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
+          ␊
+    - actions/failed-repo␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
@@ -135,7 +117,7 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `repositories not set, creating token for all repositories for given owner "smockle"␊
+    `Input 'repositories' is not set. Creating token for all repositories owned by smockle.␊
     Failed to create token for "smockle" (attempt 1): GitHub API not available␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
@@ -160,7 +142,9 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `owner and repositories set, creating token for repositories "failed-repo" owned by "actions"␊
+    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
+          ␊
+    - actions/failed-repo␊
     Failed to create token for "failed-repo" (attempt 1): GitHub API not available␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
@@ -185,7 +169,11 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `owner and repositories set, creating token for repositories "create-github-app-token,toolkit,checkout" owned by "actions"␊
+    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
+          ␊
+    - actions/create-github-app-token␊
+    - actions/toolkit␊
+    - actions/checkout␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
@@ -208,7 +196,11 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `owner and repositories set, creating token for repositories "create-github-app-token,toolkit,checkout" owned by "actions"␊
+    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
+          ␊
+    - actions/create-github-app-token␊
+    - actions/toolkit␊
+    - actions/checkout␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
@@ -231,7 +223,9 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `owner and repositories set, creating token for repositories "create-github-app-token" owned by "actions"␊
+    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
+          ␊
+    - actions/create-github-app-token␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
@@ -254,7 +248,7 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `repositories not set, creating token for all repositories for given owner "actions"␊
+    `Input 'repositories' is not set. Creating token for all repositories owned by actions.␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
@@ -277,7 +271,8 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `owner not set, creating owner for given repositories "create-github-app-token" in current owner ("actions")␊
+    `No 'owner' input provided. Using default owner 'actions' to create token for the following repositories:␊
+    - actions/create-github-app-token␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
@@ -300,7 +295,7 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `owner and repositories not set, creating token for the current repository ("create-github-app-token")␊
+    `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
@@ -323,7 +318,7 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `owner and repositories not set, creating token for the current repository ("create-github-app-token")␊
+    `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊