fix: mask the installation token in logs (#28 )

The runner will automatically mask GitHub token formats it recognizes, but sometimes a new pattern rolls out before the runner is updated to recognize it.
build(dependabot): group dependency updates by type and configure commit prefixes (#27 )
2023-08-25 11:59:01 -07:00 · 2023-08-25 09:01:54 -07:00 · 2023-08-24 15:30:49 -07:00
3 changed files with 20 additions and 3 deletions
@@ -4,6 +4,15 @@ updates:
    directory: "/"
    schedule:
      interval: "monthly"
+    groups:
+      production-dependencies:
+        dependency-type: "production"
+      development-dependencies:
+        dependency-type: "development"
+    commit-message:
+      prefix: "fix"
+      prefix-development: "build"
+      include: "scope"
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
@@ -1,5 +1,10 @@
 name: test
-on: [push]
+on:
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true

 jobs:
  test:
@@ -13,14 +18,14 @@ jobs:
      - run: npm ci
      - run: npm run build
      - uses: ./ # Uses the action in the root directory
-        id: demo
+        id: test
        with:
          app_id: ${{ vars.TEST_APP_ID }}
          private_key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
      - uses: octokit/request-action@v2.x
        id: get-repository
        env:
-          GITHUB_TOKEN: ${{ steps.demo.outputs.token }}
+          GITHUB_TOKEN: ${{ steps.test.outputs.token }}
        with:
          route: GET /installation/repositories
      - run: echo '${{ steps.get-repository.outputs.data }}'
@@ -52,6 +52,9 @@ export async function main(
    repositoryNames: [repo],
  });

+  // Register the token with the runner as a secret to ensure it is masked in logs
+  core.setSecret(authentication.token);
+
  core.setOutput("token", authentication.token);

  // Make token accessible to post function (so we can invalidate it)