build(release): 1.10.3 [skip ci]

## [1.10.3](https://github.com/actions/create-github-app-token/compare/v1.10.2...v1.10.3) (2024-07-01)

### Bug Fixes

* **deps:** bump undici from 6.18.2 to 6.19.2 in the production-dependencies group ([#149](https://github.com/actions/create-github-app-token/issues/149)) ([cc82279](https://github.com/actions/create-github-app-token/commit/cc82279e84540c5543078cedc5af4fcfab0a96bb)), closes [#3337](https://github.com/actions/create-github-app-token/issues/3337) [nodejs/undici#3338](https://github.com/nodejs/undici/issues/3338) [nodejs/undici#3340](https://github.com/nodejs/undici/issues/3340) [nodejs/undici#3332](https://github.com/nodejs/undici/issues/3332) [nodejs/undici#3335](https://github.com/nodejs/undici/issues/3335) [nodejs/undici#3305](https://github.com/nodejs/undici/issues/3305) [nodejs/undici#3303](https://github.com/nodejs/undici/issues/3303) [nodejs/undici#3304](https://github.com/nodejs/undici/issues/3304) [nodejs/undici#3306](https://github.com/nodejs/undici/issues/3306) [nodejs/undici#3309](https://github.com/nodejs/undici/issues/3309) [nodejs/undici#3313](https://github.com/nodejs/undici/issues/3313) [nodejs/undici#3311](https://github.com/nodejs/undici/issues/3311) [nodejs/undici#3107](https://github.com/nodejs/undici/issues/3107) [nodejs/undici#3302](https://github.com/nodejs/undici/issues/3302) [nodejs/undici#3320](https://github.com/nodejs/undici/issues/3320) [nodejs/undici#3321](https://github.com/nodejs/undici/issues/3321) [nodejs/undici#3316](https://github.com/nodejs/undici/issues/3316) [nodejs/undici#3318](https://github.com/nodejs/undici/issues/3318) [nodejs/undici#3326](https://github.com/nodejs/undici/issues/3326) [nodejs/undici#3324](https://github.com/nodejs/undici/issues/3324) [nodejs/undici#3325](https://github.com/nodejs/undici/issues/3325) [nodejs/undici#3316](https://github.com/nodejs/undici/issues/3316) [nodejs/undici#3318](https://github.com/nodejs/undici/issues/3318) [#3342](https://github.com/actions/create-github-app-token/issues/3342) [#3332](https://github.com/actions/create-github-app-token/issues/3332) [#3340](https://github.com/actions/create-github-app-token/issues/3340) [#3337](https://github.com/actions/create-github-app-token/issues/3337) [#3338](https://github.com/actions/create-github-app-token/issues/3338) [#3336](https://github.com/actions/create-github-app-token/issues/3336) [#3335](https://github.com/actions/create-github-app-token/issues/3335) [#3325](https://github.com/actions/create-github-app-token/issues/3325) [#3324](https://github.com/actions/create-github-app-token/issues/3324) [#3326](https://github.com/actions/create-github-app-token/issues/3326)

.github/CODEOWNERS

@@ -1 +1 @@
-* @gr2m @parkerbxyz @actions/github-app-token-maintainers
+* @gr2m @parkerbxyz @actions/create-github-app-token-maintainers

.github/dependabot.yml

@@ -0,0 +1,19 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    groups:
+      production-dependencies:
+        dependency-type: "production"
+      development-dependencies:
+        dependency-type: "development"
+    commit-message:
+      prefix: "fix"
+      prefix-development: "build"
+      include: "scope"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"

.github/workflows/release.yml

@@ -1,5 +1,6 @@
 name: release
-"on":
+
+on:
   push:
     branches:
       - main
@@ -14,24 +15,25 @@ jobs:
     name: release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      # build local version to create token
+      - uses: actions/checkout@v4
         with:
-          cache: npm
-          node-version: lts/*
+          persist-credentials: false
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: .node-version
+          cache: 'npm'
+
       - run: npm ci
       - run: npm run build
-      - uses: ./ # Uses the action in the root directory
+      - uses: ./
         id: app-token
         with:
-          app_id: ${{ vars.RELEASER_APP_ID }}
-          private_key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }}
-
-      - id: commit
-        uses: stefanzweifel/git-auto-commit-action@v4
-        with:
-          commit_message: "build: update dist files"
-      - run: npm i semantic-release-plugin-github-breaking-version-tag
-      - run: npx semantic-release
+          app-id: ${{ vars.RELEASER_APP_ID }}
+          private-key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }}
+      # install release dependencies and release
+      - run: npm install --no-save @semantic-release/git semantic-release-plugin-github-breaking-version-tag
+      - run: npx semantic-release --debug
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/test.yml

@@ -1,26 +1,52 @@
 name: test
-on: [push]
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
-  test:
+  integration:
+    name: Integration
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
         with:
-          node-version: "16.16"
+          node-version-file: .node-version
+          cache: 'npm'
+
+      - run: npm ci
+      - run: npm test
+
+  end-to-end:
+    name: End-to-End
+    runs-on: ubuntu-latest
+    # do not run from forks, as forks don’t have access to repository secrets
+    if: github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
           cache: "npm"
       - run: npm ci
       - run: npm run build
       - uses: ./ # Uses the action in the root directory
-        id: demo
+        id: test
         with:
-          app_id: ${{ vars.TEST_APP_ID }}
-          private_key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
+          app-id: ${{ vars.TEST_APP_ID }}
+          private-key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
       - uses: octokit/request-action@v2.x
         id: get-repository
         env:
-          GITHUB_TOKEN: ${{ steps.demo.outputs.token }}
+          GITHUB_TOKEN: ${{ steps.test.outputs.token }}
         with:
           route: GET /installation/repositories
       - run: echo '${{ steps.get-repository.outputs.data }}'

.gitignore

@@ -1,2 +1,3 @@
-node_modules/
 .env
+coverage
+node_modules/

.node-version

@@ -0,0 +1 @@
+20.9.0

README.md

@@ -1,6 +1,8 @@
-# `actions/github-app-token`
+# Create GitHub App Token
 
-> GitHub Action for creating a GitHub App Installation Access Token
+[![test](https://github.com/actions/create-github-app-token/actions/workflows/test.yml/badge.svg)](https://github.com/actions/create-github-app-token/actions/workflows/test.yml)
+
+GitHub Action for creating a GitHub App installation access token.
 
 ## Usage
 
@@ -10,25 +12,30 @@ In order to use this action, you need to:
 2. [Store the App's ID in your repository environment variables](https://docs.github.com/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_ID`)
 3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets?tool=webui#creating-encrypted-secrets-for-a-repository) (example: `PRIVATE_KEY`)
 
-### Minimal usage
+> [!IMPORTANT]  
+> An installation access token expires after 1 hour. Please [see this comment](https://github.com/actions/create-github-app-token/issues/121#issuecomment-2043214796) for alternative approaches if you have long-running processes.
+
+### Create a token for the current repository
 
 ```yaml
-on: [issues]
+name: Run tests on staging
+on:
+  push:
+    branches:
+      - main
 
 jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-app-token@v1
+      - uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app_id: ${{ vars.APP_ID }}
-          private_key: ${{ secrets.PRIVATE_KEY }}
-      - uses: peter-evans/create-or-update-comment@v3
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+      - uses: ./actions/staging-tests
         with:
           token: ${{ steps.app-token.outputs.token }}
-          issue-number: ${{ github.event.issue.number }}
-          body: "Hello, World!"
 ```
 
 ### Use app token with `actions/checkout`
@@ -40,13 +47,13 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-app-token@v1
+      - uses: actions/create-github-app-token@v1
         id: app-token
         with:
           # required
-          app_id: ${{ vars.APP_ID }}
-          private_key: ${{ secrets.PRIVATE_KEY }}
-      - uses: actions/checkout@v3
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+      - uses: actions/checkout@v4
         with:
           token: ${{ steps.app-token.outputs.token }}
           ref: ${{ github.head_ref }}
@@ -57,33 +64,260 @@ jobs:
           github_token: ${{ steps.app-token.outputs.token }}
 ```
 
+### Create a git committer string for an app installation
+
+```yaml
+on: [pull_request]
+
+jobs:
+  auto-format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          # required
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+      - name: Retrieve GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.generate-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - id: committer
+        run: echo "string=${{steps.app-token.outputs.app-slug}}[bot] <${{steps.get-user-id.outputs.user-id}}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"  >> "$GITHUB_OUTPUT"
+      - run: echo "committer string is ${{steps.committer.outputs.string}}"
+```
+
+### Configure git CLI for an app's bot user
+
+```yaml
+on: [pull_request]
+
+jobs:
+  auto-format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          # required
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+      - name: Retrieve GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.generate-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - run: |
+          git config --global user.name '${{steps.app-token.outputs.app-slug}}[bot]'
+          git config --global user.email '${{steps.get-user-id.outputs.user-id}}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
+      # git commands like commit work using the bot user
+      - run: |
+          git add .
+          git commit -m "Auto-generated changes"
+          git push
+```
+
+The `<BOT USER ID>` is the numeric user ID of the app's bot user, which can be found under `https://api.github.com/users/<app-slug>%5Bbot%5D`.
+For example, we can check at `https://api.github.com/users/dependabot%5Bbot%5D` to see the user ID of dependabot is 49699333.
+
+### Create a token for all repositories in the current owner's installation
+
+```yaml
+on: [workflow_dispatch]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+      - uses: peter-evans/create-or-update-comment@v3
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          issue-number: ${{ github.event.issue.number }}
+          body: "Hello, World!"
+```
+
+### Create a token for multiple repositories in the current owner's installation
+
+```yaml
+on: [issues]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "repo1,repo2"
+      - uses: peter-evans/create-or-update-comment@v3
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          issue-number: ${{ github.event.issue.number }}
+          body: "Hello, World!"
+```
+
+### Create a token for all repositories in another owner's installation
+
+```yaml
+on: [issues]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+          owner: another-owner
+      - uses: peter-evans/create-or-update-comment@v3
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          issue-number: ${{ github.event.issue.number }}
+          body: "Hello, World!"
+```
+
+### Create tokens for multiple user or organization accounts
+
+You can use a matrix strategy to create tokens for multiple user or organization accounts.
+
+> [!NOTE]
+> See [this documentation](https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings) for information on using multiline strings in workflows.
+
+```yaml
+on: [workflow_dispatch]
+
+jobs:
+  set-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{steps.set.outputs.matrix }}
+    steps:
+      - id: set
+        run: echo 'matrix=[{"owner":"owner1"},{"owner":"owner2","repos":["repo1"]}]' >>"$GITHUB_OUTPUT"
+
+  use-matrix:
+    name: "@${{ matrix.owners-and-repos.owner }} installation"
+    needs: [set-matrix]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        owners-and-repos: ${{ fromJson(needs.set-matrix.outputs.matrix) }}
+
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+          owner: ${{ matrix.owners-and-repos.owner }}
+          repositories: ${{ join(matrix.owners-and-repos.repos) }}
+      - uses: octokit/request-action@v2.x
+        id: get-installation-repositories
+        with:
+          route: GET /installation/repositories
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+      - run: echo "$MULTILINE_JSON_STRING"
+        env:
+          MULTILINE_JSON_STRING: ${{ steps.get-installation-repositories.outputs.data }}
+```
+
+### Run the workflow in a github.com repository against an organization in GitHub Enterprise Server
+
+```yaml
+on: [push]
+
+jobs:
+  create_issue:
+    runs-on: self-hosted
+
+    steps:
+    - name: Create GitHub App token
+      id: create_token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ vars.GHES_APP_ID }}
+        private-key: ${{ secrets.GHES_APP_PRIVATE_KEY }}
+        owner: ${{ vars.GHES_INSTALLATION_ORG }}
+        github-api-url: ${{ vars.GITHUB_API_URL }}
+
+    - name: Create issue
+      uses: octokit/request-action@v2.x
+      with:
+        route: POST /repos/${{ github.repository }}/issues
+        title: "New issue from workflow"
+        body: "This is a new issue created from a GitHub Action workflow."
+      env:
+        GITHUB_TOKEN: ${{ steps.create_token.outputs.token }}
+```
+
 ## Inputs
 
-### `app_id`
+### `app-id`
 
-**Required:** GitHub app ID.
+**Required:** GitHub App ID.
 
-### `private_key`
+### `private-key`
 
-**Required:** GitHub app private key.
+**Required:** GitHub App private key. Escaped newlines (`\\n`) will be automatically replaced with actual newlines.
+
+### `owner`
+
+**Optional:** The owner of the GitHub App installation. If empty, defaults to the current repository owner.
+
+### `repositories`
+
+**Optional:** Comma-separated list of repositories to grant access to.
+
+> [!NOTE]
+> If `owner` is set and `repositories` is empty, access will be scoped to all repositories in the provided repository owner's installation. If `owner` and `repositories` are empty, access will be scoped to only the current repository.
+
+### `skip-token-revoke`
+
+**Optional:** If truthy, the token will not be revoked when the current job is complete.
+
+### `github-api-url`
+
+**Optional:** The URL of the GitHub REST API. Defaults to the URL of the GitHub Rest API where the workflow is run from.
 
 ## Outputs
 
 ### `token`
 
-GitHub installation access token.
+GitHub App installation access token.
+
+### `installation-id`
+
+GitHub App installation ID.
+
+### `app-slug`
+
+GitHub App slug.
 
 ## How it works
 
 The action creates an installation access token using [the `POST /app/installations/{installation_id}/access_tokens` endpoint](https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app). By default,
 
-1. The token is scoped to the current repository
-2. The token inherits all the installation's permissions
-3. The token is set as output `token` which can be used in subsequent steps
-4. The token is revoked in the `post` step of the action, which means it cannot be passed to another job.
-5. The token is masked, it cannot be logged accidentally. That is not a feature by the action, but by the GitHub Actions runner itself, due to the specific format of GitHub tokens.
+1. The token is scoped to the current repository or `repositories` if set.
+2. The token inherits all the installation's permissions.
+3. The token is set as output `token` which can be used in subsequent steps.
+4. Unless the `skip-token-revoke` input is set to a truthy value, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
+5. The token is masked, it cannot be logged accidentally.
 
-> **Note**
+> [!NOTE]
 > Installation permissions can differ from the app's permissions they belong to. Installation permissions are set when an app is installed on an account. When the app adds more permissions after the installation, an account administrator will have to approve the new permissions before they are set on the installation.
 
 ## License

action.yml

@@ -1,17 +1,50 @@
-name: 'github-app-token'
-description: ''
-author: 'Gregor Martynus and Parker Brown'
+name: "Create GitHub App Token"
+description: "GitHub Action for creating a GitHub App installation access token"
+author: "Gregor Martynus and Parker Brown"
+branding:
+  icon: "lock"
+  color: "gray-dark"
 inputs:
+  app-id:
+    description: "GitHub App ID"
+    required: false # TODO: When 'app_id' is removed, make 'app-id' required
   app_id:
-    description: 'GitHub app ID'
-    required: true
+    description: "GitHub App ID"
+    required: false
+    deprecationMessage: "'app_id' is deprecated and will be removed in a future version. Use 'app-id' instead."
+  private-key:
+    description: "GitHub App private key"
+    required: false # TODO: When 'private_key' is removed, make 'private-key' required
   private_key:
-    description: 'GitHub app private key'
-    required: true
+    description: "GitHub App private key"
+    required: false
+    deprecationMessage: "'private_key' is deprecated and will be removed in a future version. Use 'private-key' instead."
+  owner:
+    description: "The owner of the GitHub App installation (defaults to current repository owner)"
+    required: false
+  repositories:
+    description: "Repositories to install the GitHub App on (defaults to current repository if owner is unset)"
+    required: false
+  skip-token-revoke:
+    description: "If truthy, the token will not be revoked when the current job is complete"
+    required: false
+  skip_token_revoke:
+    description: "If truthy, the token will not be revoked when the current job is complete"
+    required: false
+    deprecationMessage: "'skip_token_revoke' is deprecated and will be removed in a future version. Use 'skip-token-revoke' instead."
+  # Make GitHub API configurable to support non-GitHub Cloud use cases
+  # see https://github.com/actions/create-github-app-token/issues/77
+  github-api-url:
+    description: The URL of the GitHub REST API.
+    default: ${{ github.api_url }}
 outputs:
   token:
-    description: 'GitHub installation access token'
+    description: "GitHub installation access token"
+  installation-id:
+    description: "GitHub App installation ID"
+  app-slug:
+    description: "GitHub App slug"
 runs:
-  using: 'node16'
-  main: 'dist/main.cjs'
-  post: 'dist/post.cjs'
+  using: "node20"
+  main: "dist/main.cjs"
+  post: "dist/post.cjs"

badges/coverage.svg

@@ -0,0 +1,25 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="106"
+    height="20" role="img" aria-label="Coverage: 100%">
+    <title>Coverage: 100%</title>
+    <linearGradient id="s" x2="0" y2="100%">
+        <stop offset="0" stop-color="#bbb" stop-opacity=".1" />
+        <stop offset="1" stop-opacity=".1" />
+    </linearGradient>
+    <clipPath id="r">
+        <rect width="106" height="20" rx="3" fill="#fff" />
+    </clipPath>
+    <g clip-path="url(#r)">
+        <rect width="63" height="20" fill="#555" />
+        <rect x="63" width="43" height="20" fill="#4c1" />
+        <rect width="106" height="20" fill="url(#s)" />
+    </g>
+    <g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif"
+        text-rendering="geometricPrecision" font-size="110">
+        <text aria-hidden="true" x="325" y="150" fill="#010101" fill-opacity=".3"
+            transform="scale(.1)" textLength="530">Coverage</text>
+        <text x="325" y="140" transform="scale(.1)" fill="#fff" textLength="530">Coverage</text>
+        <text aria-hidden="true" x="835" y="150" fill="#010101" fill-opacity=".3"
+            transform="scale(.1)" textLength="330">100%</text>
+        <text x="835" y="140" transform="scale(.1)" fill="#fff" textLength="330">100%</text>
+    </g>
+</svg>

lib/main.js

@@ -1,59 +1,164 @@
+import pRetry from "p-retry";
 // @ts-check
 
-import core from "@actions/core";
-import { createAppAuth } from "@octokit/auth-app";
-import { request } from "@octokit/request";
-
 /**
  * @param {string} appId
  * @param {string} privateKey
- * @param {string} repository
- * @param {core} core
- * @param {createAppAuth} createAppAuth
- * @param {request} request
+ * @param {string} owner
+ * @param {string} repositories
+ * @param {import("@actions/core")} core
+ * @param {import("@octokit/auth-app").createAppAuth} createAppAuth
+ * @param {import("@octokit/request").request} request
+ * @param {boolean} skipTokenRevoke
  */
 export async function main(
   appId,
   privateKey,
-  repository,
+  owner,
+  repositories,
   core,
   createAppAuth,
-  request
+  request,
+  skipTokenRevoke
 ) {
-  // Get owner and repo name from GITHUB_REPOSITORY
-  const [owner, repo] = repository.split("/");
+  let parsedOwner = "";
+  let parsedRepositoryNames = "";
+
+  // If neither owner nor repositories are set, default to current repository
+  if (!owner && !repositories) {
+    [parsedOwner, parsedRepositoryNames] = String(
+      process.env.GITHUB_REPOSITORY
+    ).split("/");
+
+    core.info(
+      `owner and repositories not set, creating token for the current repository ("${parsedRepositoryNames}")`
+    );
+  }
+
+  // If only an owner is set, default to all repositories from that owner
+  if (owner && !repositories) {
+    parsedOwner = owner;
+
+    core.info(
+      `repositories not set, creating token for all repositories for given owner "${owner}"`
+    );
+  }
+
+  // If repositories are set, but no owner, default to `GITHUB_REPOSITORY_OWNER`
+  if (!owner && repositories) {
+    parsedOwner = String(process.env.GITHUB_REPOSITORY_OWNER);
+    parsedRepositoryNames = repositories;
+
+    core.info(
+      `owner not set, creating owner for given repositories "${repositories}" in current owner ("${parsedOwner}")`
+    );
+  }
+
+  // If both owner and repositories are set, use those values
+  if (owner && repositories) {
+    parsedOwner = owner;
+    parsedRepositoryNames = repositories;
+
+    core.info(
+      `owner and repositories set, creating token for repositories "${repositories}" owned by "${owner}"`
+    );
+  }
 
   const auth = createAppAuth({
     appId,
     privateKey,
+    request,
   });
 
-  const appAuthentication = await auth({
-    type: "app",
-  });
+  let authentication, installationId, appSlug;
+  // If at least one repository is set, get installation ID from that repository
 
-  // Get the installation ID
-  // https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
-  const { data: installation } = await request(
-    "GET /repos/{owner}/{repo}/installation",
-    {
-      owner,
-      repo,
-      headers: {
-        authorization: `bearer ${appAuthentication.token}`,
+  if (parsedRepositoryNames) {
+    ({ authentication, installationId, appSlug } = await pRetry(() => getTokenFromRepository(request, auth, parsedOwner, parsedRepositoryNames), {
+      onFailedAttempt: (error) => {
+        core.info(
+          `Failed to create token for "${parsedRepositoryNames}" (attempt ${error.attemptNumber}): ${error.message}`
+        );
       },
-    }
-  );
+      retries: 3,
+    }));
+  } else {
+    // Otherwise get the installation for the owner, which can either be an organization or a user account
+    ({ authentication, installationId, appSlug } = await pRetry(() => getTokenFromOwner(request, auth, parsedOwner), {
+      onFailedAttempt: (error) => {
+        core.info(
+          `Failed to create token for "${parsedOwner}" (attempt ${error.attemptNumber}): ${error.message}`
+        );
+      },
+      retries: 3,
+    }));
+  }
 
-  // Create a new installation token
-  const authentication = await auth({
-    type: "installation",
-    installationId: installation.id,
-    repositoryNames: [repo],
-  });
+  // Register the token with the runner as a secret to ensure it is masked in logs
+  core.setSecret(authentication.token);
 
   core.setOutput("token", authentication.token);
+  core.setOutput("installation-id", installationId);
+  core.setOutput("app-slug", appSlug);
 
   // Make token accessible to post function (so we can invalidate it)
-  core.saveState("token", authentication.token);
+  if (!skipTokenRevoke) {
+    core.saveState("token", authentication.token);
+    core.saveState("expiresAt", authentication.expiresAt);
+  }
 }
+
+async function getTokenFromOwner(request, auth, parsedOwner) {
+  // https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-an-organization-installation-for-the-authenticated-app
+  const response = await request("GET /orgs/{org}/installation", {
+    org: parsedOwner,
+    request: {
+      hook: auth.hook,
+    },
+  }).catch((error) => {
+    /* c8 ignore next */
+    if (error.status !== 404) throw error;
+
+    // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app
+    return request("GET /users/{username}/installation", {
+      username: parsedOwner,
+      request: {
+        hook: auth.hook,
+      },
+    });
+  });
+
+  // Get token for for all repositories of the given installation
+  const authentication = await auth({
+    type: "installation",
+    installationId: response.data.id,
+  });
+
+  const installationId = response.data.id;
+  const appSlug = response.data['app_slug'];
+
+  return { authentication, installationId, appSlug };
+}
+
+async function getTokenFromRepository(request, auth, parsedOwner, parsedRepositoryNames) {
+  // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
+  const response = await request("GET /repos/{owner}/{repo}/installation", {
+    owner: parsedOwner,
+    repo: parsedRepositoryNames.split(",")[0],
+    request: {
+      hook: auth.hook,
+    },
+  });
+
+  // Get token for given repositories
+  const authentication = await auth({
+    type: "installation",
+    installationId: response.data.id,
+    repositoryNames: parsedRepositoryNames.split(","),
+  });
+
+  const installationId = response.data.id;
+  const appSlug = response.data['app_slug'];
+
+  return { authentication, installationId, appSlug };
+ }

lib/post.js

@@ -1,20 +1,51 @@
 // @ts-check
 
-import core from "@actions/core";
-import { request } from "@octokit/request";
-
 /**
- * @param {core} core
- * @param {request} request
+ * @param {import("@actions/core")} core
+ * @param {import("@octokit/request").request} request
  */
 export async function post(core, request) {
+  const skipTokenRevoke = Boolean(
+    core.getInput("skip-token-revoke") || core.getInput("skip_token_revoke")
+  );
+
+  if (skipTokenRevoke) {
+    core.info("Token revocation was skipped");
+    return;
+  }
+
   const token = core.getState("token");
 
-  await request("DELETE /installation/token", {
-    headers: {
-      authorization: `token ${token}`,
-    },
-  });
+  if (!token) {
+    core.info("Token is not set");
+    return;
+  }
 
-  core.info("Token revoked");
+  const expiresAt = core.getState("expiresAt");
+  if (expiresAt && tokenExpiresIn(expiresAt) < 0) {
+    core.info("Token expired, skipping token revocation");
+    return;
+  }
+
+  try {
+    await request("DELETE /installation/token", {
+      headers: {
+        authorization: `token ${token}`,
+      },
+    });
+    core.info("Token revoked");
+  } catch (error) {
+    core.warning(
+      `Token revocation failed: ${error.message}`)
+  }
+}
+
+/**
+ * @param {string} expiresAt
+ */
+function tokenExpiresIn(expiresAt) {
+  const now = new Date();
+  const expiresAtDate = new Date(expiresAt);
+
+  return Math.round((expiresAtDate.getTime() - now.getTime()) / 1000);
 }

lib/request.js

@@ -0,0 +1,41 @@
+import core from "@actions/core";
+import { request } from "@octokit/request";
+import { ProxyAgent, fetch as undiciFetch } from "undici";
+
+const baseUrl = core.getInput("github-api-url").replace(/\/$/, "");
+
+// https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners
+const proxyUrl =
+  process.env.https_proxy ||
+  process.env.HTTPS_PROXY ||
+  process.env.http_proxy ||
+  process.env.HTTP_PROXY;
+
+/* c8 ignore start */
+// Native support for proxies in Undici is under consideration: https://github.com/nodejs/undici/issues/1650
+// Until then, we need to use a custom fetch function to add proxy support.
+const proxyFetch = (url, options) => {
+  const urlHost = new URL(url).hostname;
+  const noProxy = (process.env.no_proxy || process.env.NO_PROXY || "").split(
+    ","
+  );
+
+  if (!noProxy.includes(urlHost)) {
+    options = {
+      ...options,
+      dispatcher: new ProxyAgent(String(proxyUrl)),
+    };
+  }
+
+  return undiciFetch(url, options);
+};
+/* c8 ignore stop */
+
+export default request.defaults({
+  headers: {
+    "user-agent": "actions/create-github-app-token",
+  },
+  baseUrl,
+  /* c8 ignore next */
+  request: proxyUrl ? { fetch: proxyFetch } : {},
+});

main.js

@@ -2,22 +2,46 @@
 
 import core from "@actions/core";
 import { createAppAuth } from "@octokit/auth-app";
-import { request } from "@octokit/request";
 
 import { main } from "./lib/main.js";
+import request from "./lib/request.js";
 
 if (!process.env.GITHUB_REPOSITORY) {
   throw new Error("GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'");
 }
 
-const appId = core.getInput("app_id");
-const privateKey = core.getInput("private_key");
+if (!process.env.GITHUB_REPOSITORY_OWNER) {
+  throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
+}
 
-const repository = process.env.GITHUB_REPOSITORY;
+const appId = core.getInput("app-id") || core.getInput("app_id");
+if (!appId) {
+  // The 'app_id' input was previously required, but it and 'app-id' are both optional now, until the former is removed. Still, we want to ensure that at least one of them is set.
+  throw new Error("Input required and not supplied: app-id");
+}
+const privateKey = core.getInput("private-key") || core.getInput("private_key");
+if (!privateKey) {
+  // The 'private_key' input was previously required, but it and 'private-key' are both optional now, until the former is removed. Still, we want to ensure that at least one of them is set.
+  throw new Error("Input required and not supplied: private-key");
+}
+const owner = core.getInput("owner");
+const repositories = core.getInput("repositories");
 
-main(appId, privateKey, repository, core, createAppAuth, request).catch(
-  (error) => {
-    console.error(error);
-    core.setFailed(error.message);
-  }
+const skipTokenRevoke = Boolean(
+  core.getInput("skip-token-revoke") || core.getInput("skip_token_revoke")
 );
+
+main(
+  appId,
+  privateKey,
+  owner,
+  repositories,
+  core,
+  createAppAuth,
+  request,
+  skipTokenRevoke
+).catch((error) => {
+  /* c8 ignore next 3 */
+  console.error(error);
+  core.setFailed(error.message);
+});

package.json

@@ -1,22 +1,32 @@
 {
-  "name": "app-token-action",
+  "name": "create-github-app-token",
   "private": true,
   "type": "module",
-  "version": "1.0.0",
+  "version": "1.10.3",
   "description": "GitHub Action for creating a GitHub App Installation Access Token",
   "scripts": {
-    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node16.16",
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0",
+    "test": "c8 --100 ava tests/index.js",
+    "coverage": "c8 report --reporter html",
+    "postcoverage": "open-cli coverage/index.html"
   },
   "license": "MIT",
   "dependencies": {
-    "@actions/core": "^1.10.0",
-    "@octokit/auth-app": "^4.0.13",
-    "@octokit/request": "^6.2.5"
+    "@actions/core": "^1.10.1",
+    "@octokit/auth-app": "^7.1.0",
+    "@octokit/request": "^9.0.1",
+    "p-retry": "^6.2.0",
+    "undici": "^6.19.2"
   },
   "devDependencies": {
-    "dotenv": "^16.0.3",
-    "esbuild": "^0.17.19"
+    "@sinonjs/fake-timers": "^11.2.2",
+    "ava": "^6.1.3",
+    "c8": "^9.1.0",
+    "dotenv": "^16.4.5",
+    "esbuild": "^0.21.4",
+    "execa": "^9.1.0",
+    "open-cli": "^8.0.0",
+    "yaml": "^2.4.2"
   },
   "release": {
     "branches": [
@@ -27,7 +37,18 @@
       "@semantic-release/commit-analyzer",
       "@semantic-release/release-notes-generator",
       "@semantic-release/github",
-      "semantic-release-plugin-github-breaking-version-tag"
+      "@semantic-release/npm",
+      "semantic-release-plugin-github-breaking-version-tag",
+      [
+        "@semantic-release/git",
+        {
+          "assets": [
+            "package.json",
+            "dist/*"
+          ],
+          "message": "build(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+        }
+      ]
     ]
   }
 }

post.js

@@ -1,13 +1,12 @@
 // @ts-check
 
 import core from "@actions/core";
-import { request } from "@octokit/request";
 
 import { post } from "./lib/post.js";
+import request from "./lib/request.js";
 
-post(core, request).catch(
-  (error) => {
-    console.error(error);
-    core.setFailed(error.message);
-  }
-);
+post(core, request).catch((error) => {
+  /* c8 ignore next 3 */
+  console.error(error);
+  core.setFailed(error.message);
+});

tests/README.md

@@ -0,0 +1,19 @@
+# Tests
+
+Add one test file per scenario. You can run them in isolation with:
+
+```bash
+node tests/post-token-set.test.js
+```
+
+All tests are run together in [tests/index.js](index.js), which can be executed with ava
+
+```
+npx ava tests/index.js
+```
+
+or with npm
+
+```
+npm test
+```

tests/action-deprecated-inputs.test.js

@@ -0,0 +1,16 @@
+import { readFileSync } from "node:fs";
+import * as url from "node:url";
+import YAML from "yaml";
+
+const action = YAML.parse(
+  readFileSync(
+    url.fileURLToPath(new URL("../action.yml", import.meta.url)),
+    "utf8"
+  )
+);
+
+for (const [key, value] of Object.entries(action.inputs)) {
+  if ("deprecationMessage" in value) {
+    console.log(`${key} — ${value.deprecationMessage}`);
+  }
+}

tests/index.js

@@ -0,0 +1,19 @@
+import { readdirSync } from "node:fs";
+
+import { execa } from "execa";
+import test from "ava";
+
+const tests = readdirSync("tests").filter((file) => file.endsWith(".test.js"));
+
+for (const file of tests) {
+  test(file, async (t) => {
+    // Override Actions environment variables that change `core`’s behavior
+    const env = {
+      GITHUB_OUTPUT: undefined,
+      GITHUB_STATE: undefined,
+    };
+    const { stderr, stdout } = await execa("node", [`tests/${file}`], { env });
+    t.snapshot(stderr, "stderr");
+    t.snapshot(stdout, "stdout");
+  });
+}

tests/main-custom-github-api-url.test.js

@@ -0,0 +1,13 @@
+import { test, DEFAULT_ENV } from "./main.js";
+
+// Verify that main works with a custom GitHub API URL passed as `github-api-url` input
+await test(
+  () => {
+    process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
+    process.env.INPUT_REPOSITORIES = process.env.GITHUB_REPOSITORY;
+  },
+  {
+    ...DEFAULT_ENV,
+    "INPUT_GITHUB-API-URL": "https://github.acme-inc.com/api/v3",
+  }
+);

tests/main-missing-app-id.test.js

@@ -0,0 +1,9 @@
+process.env.GITHUB_REPOSITORY_OWNER = "actions";
+process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+
+// Verify `main` exits with an error when neither the `app-id` nor `app_id` input is set.
+try {
+  await import("../main.js");
+} catch (error) {
+  console.error(error.message);
+}

tests/main-missing-owner.test.js

@@ -0,0 +1,9 @@
+process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+delete process.env.GITHUB_REPOSITORY_OWNER;
+
+// Verify `main` exits with an error when `GITHUB_REPOSITORY_OWNER` is missing.
+try {
+  await import("../main.js");
+} catch (error) {
+  console.error(error.message);
+}

tests/main-missing-private-key.test.js

@@ -0,0 +1,10 @@
+process.env.GITHUB_REPOSITORY_OWNER = "actions";
+process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+process.env["INPUT_APP-ID"] = "123456";
+
+// Verify `main` exits with an error when neither the `private-key` nor `private_key` input is set.
+try {
+  await import("../main.js");
+} catch (error) {
+  console.error(error.message);
+}

tests/main-missing-repository.test.js

@@ -0,0 +1,8 @@
+delete process.env.GITHUB_REPOSITORY;
+
+// Verify `main` exits with an error when `GITHUB_REPOSITORY` is missing.
+try {
+  await import("../main.js");
+} catch (error) {
+  console.error(error.message);
+}

tests/main-private-key-with-escaped-newlines.js

@@ -0,0 +1,6 @@
+import { test, DEFAULT_ENV } from "./main.js";
+
+// Verify `main` works correctly when `private-key` input has escaped newlines
+await test(() => {
+  process.env['INPUT_PRIVATE-KEY'] = DEFAULT_ENV.PRIVATE_KEY.replace(/\n/g, '\\n')
+});

tests/main-repo-skew.js

@@ -0,0 +1,58 @@
+import { test } from "./main.js";
+
+import { install } from "@sinonjs/fake-timers";
+
+// Verify `main` retry when the clock has drifted.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = 'actions'
+  process.env.INPUT_REPOSITORIES = 'failed-repo';
+  const owner = process.env.INPUT_OWNER
+  const repo = process.env.INPUT_REPOSITORIES
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+
+  install({ now: 0, toFake: ["Date"] });
+
+  mockPool
+    .intercept({
+      path: `/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(({ headers }) => {
+      const [_, jwt] = (headers.authorization || "").split(" ");
+      const payload = JSON.parse(Buffer.from(jwt.split(".")[1], "base64").toString());
+
+      if (payload.iat < 0) {
+        return {
+          statusCode: 401,
+          data: {
+            message: "'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued."
+          },
+          responseOptions: {
+            headers: {
+              "content-type": "application/json",
+              "date": new Date(Date.now() + 30000).toUTCString()
+            }
+          }
+        };
+      }
+
+      return {
+        statusCode: 200,
+        data: {
+          id: mockInstallationId,
+          "app_slug": mockAppSlug
+        },
+        responseOptions: {
+          headers: {
+            "content-type": "application/json"
+          }
+        }
+      };
+    }).times(2);
+});

tests/main-token-get-owner-set-repo-fail-response.test.js

@@ -0,0 +1,39 @@
+import { test } from "./main.js";
+
+// Verify `main` retry when  the GitHub API returns a 500 error.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = "actions";
+  process.env.INPUT_REPOSITORIES = "failed-repo";
+  const owner = process.env.INPUT_OWNER;
+  const repo = process.env.INPUT_REPOSITORIES;
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+
+  mockPool
+    .intercept({
+      path: `/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(500, "GitHub API not available");
+
+  mockPool
+    .intercept({
+      path: `/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId, "app_slug": mockAppSlug },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main-token-get-owner-set-repo-set-to-many.test.js

@@ -0,0 +1,7 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` and `repositories` inputs are set (and the latter is a list of repos).
+await test(() => {
+  process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
+  process.env.INPUT_REPOSITORIES = `${process.env.GITHUB_REPOSITORY},actions/toolkit`;
+});

tests/main-token-get-owner-set-repo-set-to-one.test.js

@@ -0,0 +1,7 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` and `repositories` inputs are set (and the latter is a single repo).
+await test(() => {
+  process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
+  process.env.INPUT_REPOSITORIES = process.env.GITHUB_REPOSITORY;
+});

tests/main-token-get-owner-set-to-org-repo-unset.test.js

@@ -0,0 +1,26 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` input is set (to an org), but the `repositories` input isn’t set.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
+  delete process.env.INPUT_REPOSITORIES;
+
+  // Mock installation id and app slug request
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+  mockPool
+    .intercept({
+      path: `/orgs/${process.env.INPUT_OWNER}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId, "app_slug": mockAppSlug },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main-token-get-owner-set-to-user-fail-response.test.js

@@ -0,0 +1,37 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` input is set (to a user), but the `repositories` input isn’t set.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = "smockle";
+  delete process.env.INPUT_REPOSITORIES;
+
+  // Mock installation ID and app slug request
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+  mockPool
+    .intercept({
+      path: `/orgs/${process.env.INPUT_OWNER}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(500, "GitHub API not available");
+  mockPool
+    .intercept({
+      path: `/orgs/${process.env.INPUT_OWNER}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId, "app_slug": mockAppSlug },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main-token-get-owner-set-to-user-repo-unset.test.js

@@ -0,0 +1,37 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` input is set (to a user), but the `repositories` input isn’t set.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = "smockle";
+  delete process.env.INPUT_REPOSITORIES;
+
+  // Mock installation ID and app slug request
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+  mockPool
+    .intercept({
+      path: `/orgs/${process.env.INPUT_OWNER}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(404);
+  mockPool
+    .intercept({
+      path: `/users/${process.env.INPUT_OWNER}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId, "app_slug": mockAppSlug },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main-token-get-owner-unset-repo-set.test.js

@@ -0,0 +1,7 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` input is not set, but the `repositories` input is set.
+await test(() => {
+  delete process.env.INPUT_OWNER;
+  process.env.INPUT_REPOSITORIES = process.env.GITHUB_REPOSITORY;
+});

tests/main-token-get-owner-unset-repo-unset.test.js

@@ -0,0 +1,26 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when neither the `owner` nor `repositories` input is set.
+await test((mockPool) => {
+  delete process.env.INPUT_OWNER;
+  delete process.env.INPUT_REPOSITORIES;
+
+  // Mock installation ID and app slug request
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+  mockPool
+    .intercept({
+      path: `/repos/${process.env.GITHUB_REPOSITORY}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId, "app_slug": mockAppSlug },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main.js

@@ -0,0 +1,105 @@
+// Base for all `main` tests.
+// @ts-check
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+export const DEFAULT_ENV = {
+  GITHUB_REPOSITORY_OWNER: "actions",
+  GITHUB_REPOSITORY: "actions/create-github-app-token",
+  // inputs are set as environment variables with the prefix INPUT_
+  // https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+  "INPUT_GITHUB-API-URL": "https://api.github.com",
+  "INPUT_APP-ID": "123456",
+  // This key is invalidated. It’s from https://github.com/octokit/auth-app.js/issues/465#issuecomment-1564998327.
+  "INPUT_PRIVATE-KEY": `-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA280nfuUM9w00Ib9E2rvZJ6Qu3Ua3IqR34ZlK53vn/Iobn2EL
+Z9puc5Q/nFBU15NKwHyQNb+OG2hTCkjd1Xi9XPzEOH1r42YQmTGq8YCkUSkk6KZA
+5dnhLwN9pFquT9fQgrf4r1D5GJj3rqvj8JDr1sBmunArqY5u4gziSrIohcjLIZV0
+cIMz/RUIMe/EAsNeiwzEteHAtf/WpMs+OfF94SIUrDlkPr0H0H3DER8l1HZAvE0e
+eD3ZJ6njrF6UHQWDVrekSTB0clpVTTU9TMpe+gs2nnFww9G8As+WsW8xHVjVipJy
+AwqBhiR+s7wlcbh2i0NQqt8GL9/jIFTmleiwsQIDAQABAoIBAHNyP8pgl/yyzKzk
+/0871wUBMTQ7zji91dGCaFtJM0HrcDK4D/uOOPEv7nE1qDpKPLr5Me1pHUS7+NGw
+EAPtlNhgUtew2JfppdIwyi5qeOPADoi7ud6AH8xHsxg+IMwC+JuP8WhzyUHoJj9y
+PRi/pX94Mvy9qdE25HqKddjx1mLdaHhxqPkr16/em23uYZqm1lORsCPD3vTlthj7
+WiEbBSqmpYvjj8iFP4yFk2N+LvuWgSilRzq1Af3qE7PUp4xhjmcOPs78Sag1T7nl
+ww/pgqCegISABHik7j++/5T+UlI5cLsyp/XENU9zAd4kCIczwNKpun2bn+djJdft
+ravyX4ECgYEA+k2mHfi1zwKF3wT+cJbf30+uXrJczK2yZ33//4RKnhBaq7nSbQAI
+nhWz2JESBK0TEo0+L7yYYq3HnT9vcES5R1NxzruH9wXgxssSx3JUj6w1raXYPh3B
++1XpYQsa6/bo2LmBELEx47F8FQbNgD5dmTJ4jBrf6MV4rRh9h6Bs7UkCgYEA4M3K
+eAw52c2MNMIxH/LxdOQtEBq5GMu3AQC8I64DSSRrAoiypfEgyTV6S4gWJ5TKgYfD
+zclnOVJF+tITe3neO9wHoZp8iCjCnoijcT6p2cJ4IaW68LEHPOokWBk0EpLjF4p2
+7sFi9+lUpXYXfCN7aMJ77QpGzB7dNsBf0KUxMCkCgYEAjw/mjGbk82bLwUaHby6s
+0mQmk7V6WPpGZ+Sadx7TzzglutVAslA8nK5m1rdEBywtJINaMcqnhm8xEm15cj+1
+blEBUVnaQpQ3fyf+mcR9FIknPRL3X7l+b/sQowjH4GqFd6m/XR0KGMwO0a3Lsyry
+MGeqgtmxdMe5S6YdyXEmERECgYAgQsgklDSVIh9Vzux31kh6auhgoEUh3tJDbZSS
+Vj2YeIZ21aE1mTYISglj34K2aW7qSc56sMWEf18VkKJFHQccdgYOVfo7HAZZ8+fo
+r4J2gqb0xTDfq7gLMNrIXc2QQM4gKbnJp60JQM3p9NmH8huavBZGvSvNzTwXyGG3
+so0tiQKBgGQXZaxaXhYUcxYHuCkQ3V4Vsj3ezlM92xXlP32SGFm3KgFhYy9kATxw
+Cax1ytZzvlrKLQyQFVK1COs2rHt7W4cJ7op7C8zXfsigXCiejnS664oAuX8sQZID
+x3WQZRiXlWejSMUAHuMwXrhGlltF3lw83+xAjnqsVp75kGS6OH61
+-----END RSA PRIVATE KEY-----`,
+};
+
+export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
+  for (const [key, value] of Object.entries(env)) {
+    process.env[key] = value;
+  }
+
+  // Set up mocking
+  const baseUrl = new URL(env["INPUT_GITHUB-API-URL"]);
+  const basePath = baseUrl.pathname === '/' ? '' : baseUrl.pathname;
+  const mockAgent = new MockAgent();
+  mockAgent.disableNetConnect();
+  setGlobalDispatcher(mockAgent);
+  const mockPool = mockAgent.get(baseUrl.origin);
+
+  // Calling `auth({ type: "app" })` to obtain a JWT doesn’t make network requests, so no need to intercept.
+
+  // Mock installation ID and app slug request
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+  const owner = env.INPUT_OWNER ?? env.GITHUB_REPOSITORY_OWNER;
+  const repo = encodeURIComponent(
+    (env.INPUT_REPOSITORIES ?? env.GITHUB_REPOSITORY).split(",")[0]
+  );
+  mockPool
+    .intercept({
+      path: `${basePath}/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId, "app_slug": mockAppSlug },
+      { headers: { "content-type": "application/json" } }
+    );
+
+  // Mock installation access token request
+  const mockInstallationAccessToken =
+    "ghs_16C7e42F292c6912E7710c838347Ae178B4a"; // This token is invalidated. It’s from https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app.
+  const mockExpiresAt = "2016-07-11T22:14:10Z";
+  mockPool
+    .intercept({
+      path: `${basePath}/app/installations/${mockInstallationId}/access_tokens`,
+      method: "POST",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Note: Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      201,
+      { token: mockInstallationAccessToken, expires_at: mockExpiresAt },
+      { headers: { "content-type": "application/json" } }
+    );
+
+  // Run the callback
+  cb(mockPool);
+
+  // Run the main script
+  await import("../main.js");
+}

tests/post-revoke-token-fail-response.test.js

@@ -0,0 +1,34 @@
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+process.env.STATE_token = "secret123";
+
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+
+// 1 hour in the future, not expired
+process.env.STATE_expiresAt = new Date(
+  Date.now() + 1000 * 60 * 60
+).toISOString();
+
+const mockAgent = new MockAgent();
+
+setGlobalDispatcher(mockAgent);
+
+// Provide the base url to the request
+const mockPool = mockAgent.get("https://api.github.com");
+
+// intercept the request
+mockPool
+  .intercept({
+    path: "/installation/token",
+    method: "DELETE",
+    headers: {
+      authorization: "token secret123",
+    },
+  })
+  .reply(401);
+
+await import("../post.js");

tests/post-token-expired.test.js

@@ -0,0 +1,28 @@
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+process.env.STATE_token = "secret123";
+
+// 1 hour in the past, expired
+process.env.STATE_expiresAt = new Date(Date.now() - 1000 * 60 * 60).toISOString();
+
+const mockAgent = new MockAgent();
+
+setGlobalDispatcher(mockAgent);
+
+// Provide the base url to the request
+const mockPool = mockAgent.get("https://api.github.com");
+
+// intercept the request
+mockPool
+  .intercept({
+    path: "/installation/token",
+    method: "DELETE",
+    headers: {
+      authorization: "token secret123",
+    },
+  })
+  .reply(204);
+
+await import("../post.js");

tests/post-token-set.test.js

@@ -0,0 +1,32 @@
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+process.env.STATE_token = "secret123";
+
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+
+// 1 hour in the future, not expired
+process.env.STATE_expiresAt = new Date(Date.now() + 1000 * 60 * 60).toISOString();
+
+const mockAgent = new MockAgent();
+
+setGlobalDispatcher(mockAgent);
+
+// Provide the base url to the request
+const mockPool = mockAgent.get("https://api.github.com");
+
+// intercept the request
+mockPool
+  .intercept({
+    path: "/installation/token",
+    method: "DELETE",
+    headers: {
+      authorization: "token secret123",
+    },
+  })
+  .reply(204);
+
+await import("../post.js");

tests/post-token-skipped.test.js

@@ -0,0 +1,29 @@
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+process.env.STATE_token = "secret123";
+
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "true";
+
+const mockAgent = new MockAgent();
+
+setGlobalDispatcher(mockAgent);
+
+// Provide the base url to the request
+const mockPool = mockAgent.get("https://api.github.com");
+
+// intercept the request
+mockPool
+  .intercept({
+    path: "/installation/token",
+    method: "DELETE",
+    headers: {
+      authorization: "token secret123",
+    },
+  })
+  .reply(204);
+
+await import("../post.js");

tests/post-token-unset.test.js

@@ -0,0 +1,5 @@
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+delete process.env.STATE_token;
+
+await import("../post.js");

tests/snapshots/index.js.md

@@ -0,0 +1,280 @@
+# Snapshot report for `tests/index.js`
+
+The actual snapshot is saved in `index.js.snap`.
+
+Generated by [AVA](https://avajs.dev).
+
+## action-deprecated-inputs.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `app_id — 'app_id' is deprecated and will be removed in a future version. Use 'app-id' instead.␊
+    private_key — 'private_key' is deprecated and will be removed in a future version. Use 'private-key' instead.␊
+    skip_token_revoke — 'skip_token_revoke' is deprecated and will be removed in a future version. Use 'skip-token-revoke' instead.`
+
+## main-custom-github-api-url.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `owner and repositories set, creating token for repositories "actions/create-github-app-token" owned by "actions"␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
+
+## main-missing-app-id.test.js
+
+> stderr
+
+    'Input required and not supplied: app-id'
+
+> stdout
+
+    ''
+
+## main-missing-owner.test.js
+
+> stderr
+
+    'GITHUB_REPOSITORY_OWNER missing, must be set to \'<owner>\''
+
+> stdout
+
+    ''
+
+## main-missing-private-key.test.js
+
+> stderr
+
+    'Input required and not supplied: private-key'
+
+> stdout
+
+    ''
+
+## main-missing-repository.test.js
+
+> stderr
+
+    'GITHUB_REPOSITORY missing, must be set to \'<owner>/<repo>\''
+
+> stdout
+
+    ''
+
+## main-token-get-owner-set-repo-fail-response.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `owner and repositories set, creating token for repositories "failed-repo" owned by "actions"␊
+    Failed to create token for "failed-repo" (attempt 1): GitHub API not available␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
+
+## main-token-get-owner-set-repo-set-to-many.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `owner and repositories set, creating token for repositories "actions/create-github-app-token,actions/toolkit" owned by "actions"␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
+
+## main-token-get-owner-set-repo-set-to-one.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `owner and repositories set, creating token for repositories "actions/create-github-app-token" owned by "actions"␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
+
+## main-token-get-owner-set-to-org-repo-unset.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `repositories not set, creating token for all repositories for given owner "actions"␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
+
+## main-token-get-owner-set-to-user-fail-response.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `repositories not set, creating token for all repositories for given owner "smockle"␊
+    Failed to create token for "smockle" (attempt 1): GitHub API not available␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
+
+## main-token-get-owner-set-to-user-repo-unset.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `repositories not set, creating token for all repositories for given owner "smockle"␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
+
+## main-token-get-owner-unset-repo-set.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `owner not set, creating owner for given repositories "actions/create-github-app-token" in current owner ("actions")␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
+
+## main-token-get-owner-unset-repo-unset.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `owner and repositories not set, creating token for the current repository ("create-github-app-token")␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
+
+## post-revoke-token-fail-response.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    '::warning::Token revocation failed: '
+
+## post-token-expired.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    'Token expired, skipping token revocation'
+
+## post-token-set.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    'Token revoked'
+
+## post-token-skipped.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    'Token revocation was skipped'
+
+## post-token-unset.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    'Token is not set'