build(release): 1.4.0 [skip ci]

# [1.4.0](https://github.com/actions/create-github-app-token/compare/v1.3.0...v1.4.0) (2023-10-06)

### Features

* Add a `skip_token_revoke` input for configuring token revocation ([#54](https://github.com/actions/create-github-app-token/issues/54)) ([9ec88c4](https://github.com/actions/create-github-app-token/commit/9ec88c41eef7052418d233d147c59fbdce19c56f)), closes [1#L46-L47](https://github.com/1/issues/L46-L47) [1#L132](https://github.com/1/issues/L132)

.github/workflows/release.yml

@@ -19,7 +19,7 @@ jobs:
         with:
           app_id: ${{ vars.RELEASER_APP_ID }}
           private_key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           token: ${{ steps.app-token.outputs.token }}
       - run: npm install --no-save @semantic-release/git semantic-release-plugin-github-breaking-version-tag

.github/workflows/test.yml

@@ -1,5 +1,8 @@
 name: test
 on:
+  push:
+    branches:
+      - main
   pull_request:
 
 concurrency:
@@ -7,13 +10,28 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  test:
+  integration:
+    name: Integration
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
         with:
-          node-version: "16.16"
+          node-version: 20
+          cache: "npm"
+      - run: npm ci
+      - run: npm test
+
+  end-to-end:
+    name: End-to-End
+    runs-on: ubuntu-latest
+    # do not run from forks, as forks don’t have access to repository secrets
+    if: github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 20
           cache: "npm"
       - run: npm ci
       - run: npm run build

README.md

@@ -10,7 +10,7 @@ In order to use this action, you need to:
 2. [Store the App's ID in your repository environment variables](https://docs.github.com/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_ID`)
 3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets?tool=webui#creating-encrypted-secrets-for-a-repository) (example: `PRIVATE_KEY`)
 
-### Minimal usage
+### Create a token for the current repository
 
 ```yaml
 on: [issues]
@@ -57,6 +57,73 @@ jobs:
           github_token: ${{ steps.app-token.outputs.token }}
 ```
 
+### Create a token for all repositories in the current owner's installation
+
+```yaml
+on: [workflow_dispatch]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+      - uses: peter-evans/create-or-update-comment@v3
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          issue-number: ${{ github.event.issue.number }}
+          body: "Hello, World!"
+```
+
+### Create a token for multiple repositories in the current owner's installation
+
+```yaml
+on: [issues]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "repo1,repo2"
+      - uses: peter-evans/create-or-update-comment@v3
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          issue-number: ${{ github.event.issue.number }}
+          body: "Hello, World!"
+```
+
+### Create a token for all repositories in another owner's installation
+
+```yaml
+on: [issues]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+          owner: another-owner
+      - uses: peter-evans/create-or-update-comment@v3
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          issue-number: ${{ github.event.issue.number }}
+          body: "Hello, World!"
+```
+
 ## Inputs
 
 ### `app_id`
@@ -67,6 +134,21 @@ jobs:
 
 **Required:** GitHub App private key.
 
+### `owner`
+
+**Optional:** GitHub App installation owner. If empty, defaults to the current repository owner.
+
+### `repositories`
+
+**Optional:** Comma-separated list of repositories to grant access to.
+
+> [!NOTE]
+> If `owner` is set and `repositories` is empty, access will be scoped to all repositories in the provided repository owner's installation. If `owner` and `repositories` are empty, access will be scoped to only the current repository.
+
+### `skip_token_revoke`
+
+**Optional:** If truthy, the token will not be revoked when the current job is complete.
+
 ## Outputs
 
 ### `token`
@@ -77,10 +159,10 @@ GitHub App installation access token.
 
 The action creates an installation access token using [the `POST /app/installations/{installation_id}/access_tokens` endpoint](https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app). By default,
 
-1. The token is scoped to the current repository.
+1. The token is scoped to the current repository or `repositories` if set.
 2. The token inherits all the installation's permissions.
 3. The token is set as output `token` which can be used in subsequent steps.
-4. The token is revoked in the `post` step of the action, which means it cannot be passed to another job.
+4. Unless the `skip_token_revoke` input is set to a truthy value, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
 5. The token is masked, it cannot be logged accidentally.
 
 > [!NOTE]

action.yml

@@ -11,6 +11,15 @@ inputs:
   private_key:
     description: "GitHub App private key"
     required: true
+  owner:
+    description: "GitHub App owner (defaults to current repository owner)"
+    required: false
+  repositories:
+    description: "Repositories to install the GitHub App on (defaults to current repository if owner is unset)"
+    required: false
+  skip_token_revoke:
+    description: "If truthy, the token will not be revoked when the current job is complete"
+    required: false
 outputs:
   token:
     description: "GitHub installation access token"

dist/post.cjs

@@ -569,7 +569,12 @@ var require_proxy = __commonJS({
         }
       })();
       if (proxyVar) {
-        return new URL(proxyVar);
+        try {
+          return new URL(proxyVar);
+        } catch (_a) {
+          if (!proxyVar.startsWith("http://") && !proxyVar.startsWith("https://"))
+            return new URL(`http://${proxyVar}`);
+        }
       } else {
         return void 0;
       }
@@ -1001,6 +1006,19 @@ var require_lib = __commonJS({
           }));
         });
       }
+      readBodyBuffer() {
+        return __awaiter(this, void 0, void 0, function* () {
+          return new Promise((resolve) => __awaiter(this, void 0, void 0, function* () {
+            const chunks = [];
+            this.message.on("data", (chunk) => {
+              chunks.push(chunk);
+            });
+            this.message.on("end", () => {
+              resolve(Buffer.concat(chunks));
+            });
+          }));
+        });
+      }
     };
     exports.HttpClientResponse = HttpClientResponse;
     function isHttps(requestUrl) {
@@ -1602,7 +1620,7 @@ var require_oidc_utils = __commonJS({
  
         Error Code : ${error.statusCode}
  
-        Error Message: ${error.result.message}`);
+        Error Message: ${error.message}`);
           });
           const id_token = (_a = res.result) === null || _a === void 0 ? void 0 : _a.value;
           if (!id_token) {
@@ -2278,7 +2296,7 @@ var require_dist_node2 = __commonJS({
     });
     module2.exports = __toCommonJS2(dist_src_exports);
     var import_universal_user_agent = require_dist_node();
-    var VERSION = "9.0.0";
+    var VERSION = "9.0.1";
     var userAgent = `octokit-endpoint.js/${VERSION} ${(0, import_universal_user_agent.getUserAgent)()}`;
     var DEFAULTS = {
       method: "GET",
@@ -2793,7 +2811,7 @@ var require_dist_node5 = __commonJS({
     module2.exports = __toCommonJS2(dist_src_exports);
     var import_endpoint = require_dist_node2();
     var import_universal_user_agent = require_dist_node();
-    var VERSION = "8.1.1";
+    var VERSION = "8.1.2";
     var import_is_plain_object = require_is_plain_object();
     var import_request_error = require_dist_node4();
     function getBufferResponse(response) {
@@ -2951,30 +2969,47 @@ var require_dist_node5 = __commonJS({
 });
 
 // post.js
-var import_core2 = __toESM(require_core(), 1);
-var import_request = __toESM(require_dist_node5(), 1);
+var import_core = __toESM(require_core(), 1);
 
 // lib/post.js
-var import_core = __toESM(require_core(), 1);
-async function post(core3, request2) {
-  const token = core3.getState("token");
-  if (!token)
+async function post(core2, request2) {
+  const skipTokenRevoke = Boolean(core2.getInput("skip_token_revoke"));
+  if (skipTokenRevoke) {
+    core2.info("Token revocation was skipped");
     return;
+  }
+  const token = core2.getState("token");
+  if (!token) {
+    core2.info("Token is not set");
+    return;
+  }
   await request2("DELETE /installation/token", {
     headers: {
       authorization: `token ${token}`
     }
   });
-  core3.info("Token revoked");
+  core2.info("Token revoked");
 }
 
-// post.js
-post(import_core2.default, import_request.request).catch(
-  (error) => {
-    console.error(error);
-    import_core2.default.setFailed(error.message);
+// lib/request.js
+var import_request = __toESM(require_dist_node5(), 1);
+var request_default = import_request.request.defaults({
+  baseUrl: process.env["GITHUB_API_URL"],
+  headers: {
+    "user-agent": "actions/create-github-app-token"
   }
-);
+});
+
+// post.js
+post(
+  import_core.default,
+  request_default.defaults({
+    baseUrl: process.env["GITHUB_API_URL"]
+  })
+).catch((error) => {
+  console.error(error);
+  import_core.default.setFailed(error.message);
+});
 /*! Bundled license information:
 
 is-plain-object/dist/is-plain-object.js:

lib/main.js

@@ -1,62 +1,130 @@
 // @ts-check
 
-import core from "@actions/core";
-import { createAppAuth } from "@octokit/auth-app";
-import { request } from "@octokit/request";
-
 /**
  * @param {string} appId
  * @param {string} privateKey
- * @param {string} repository
- * @param {core} core
- * @param {createAppAuth} createAppAuth
- * @param {request} request
+ * @param {string} owner
+ * @param {string} repositories
+ * @param {import("@actions/core")} core
+ * @param {import("@octokit/auth-app").createAppAuth} createAppAuth
+ * @param {import("@octokit/request").request} request
+ * @param {boolean} skipTokenRevoke
  */
 export async function main(
   appId,
   privateKey,
-  repository,
+  owner,
+  repositories,
   core,
   createAppAuth,
-  request
+  request,
+  skipTokenRevoke
 ) {
-  // Get owner and repo name from GITHUB_REPOSITORY
-  const [owner, repo] = repository.split("/");
+  let parsedOwner = "";
+  let parsedRepositoryNames = "";
+
+  // If neither owner nor repositories are set, default to current repository
+  if (!owner && !repositories) {
+    [parsedOwner, parsedRepositoryNames] = String(
+      process.env.GITHUB_REPOSITORY
+    ).split("/");
+
+    core.info(
+      `owner and repositories not set, creating token for the current repository ("${parsedRepositoryNames}")`
+    );
+  }
+
+  // If only an owner is set, default to all repositories from that owner
+  if (owner && !repositories) {
+    parsedOwner = owner;
+
+    core.info(
+      `repositories not set, creating token for all repositories for given owner "${owner}"`
+    );
+  }
+
+  // If repositories are set, but no owner, default to `GITHUB_REPOSITORY_OWNER`
+  if (!owner && repositories) {
+    parsedOwner = String(process.env.GITHUB_REPOSITORY_OWNER);
+    parsedRepositoryNames = repositories;
+
+    core.info(
+      `owner not set, creating owner for given repositories "${repositories}" in current owner ("${parsedOwner}")`
+    );
+  }
+
+  // If both owner and repositories are set, use those values
+  if (owner && repositories) {
+    parsedOwner = owner;
+    parsedRepositoryNames = repositories;
+
+    core.info(
+      `owner and repositories set, creating token for repositories "${repositories}" owned by "${owner}"`
+    );
+  }
 
   const auth = createAppAuth({
     appId,
     privateKey,
+    request,
   });
 
   const appAuthentication = await auth({
     type: "app",
   });
 
-  // Get the installation ID
-  // https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
-  const { data: installation } = await request(
-    "GET /repos/{owner}/{repo}/installation",
-    {
-      owner,
-      repo,
+  let authentication;
+  // If at least one repository is set, get installation ID from that repository
+  // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
+  if (parsedRepositoryNames) {
+    const response = await request("GET /repos/{owner}/{repo}/installation", {
+      owner: parsedOwner,
+      repo: parsedRepositoryNames.split(",")[0],
       headers: {
         authorization: `bearer ${appAuthentication.token}`,
       },
-    }
-  );
+    });
 
-  // Create a new installation token
-  const authentication = await auth({
-    type: "installation",
-    installationId: installation.id,
-    repositoryNames: [repo],
-  });
+    // Get token for given repositories
+    authentication = await auth({
+      type: "installation",
+      installationId: response.data.id,
+      repositoryNames: parsedRepositoryNames.split(","),
+    });
+  } else {
+    // Otherwise get the installation for the owner, which can either be an organization or a user account
+    // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
+    const response = await request("GET /orgs/{org}/installation", {
+      org: parsedOwner,
+      headers: {
+        authorization: `bearer ${appAuthentication.token}`,
+      },
+    }).catch((error) => {
+      if (error.status !== 404) throw error;
+
+      // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app
+      return request("GET /users/{username}/installation", {
+        username: parsedOwner,
+        headers: {
+          authorization: `bearer ${appAuthentication.token}`,
+        },
+      });
+    });
+
+    // Get token for for all repositories of the given installation
+    authentication = await auth({
+      type: "installation",
+      installationId: response.data.id,
+    });
+  }
 
   // Register the token with the runner as a secret to ensure it is masked in logs
   core.setSecret(authentication.token);
 
   core.setOutput("token", authentication.token);
-
+  
   // Make token accessible to post function (so we can invalidate it)
-  core.saveState("token", authentication.token);
+  if (!skipTokenRevoke) {
+    core.saveState("token", authentication.token);
+  }
 }

lib/post.js

@@ -1,17 +1,24 @@
 // @ts-check
 
-import core from "@actions/core";
-import { request } from "@octokit/request";
-
 /**
- * @param {core} core
- * @param {request} request
+ * @param {import("@actions/core")} core
+ * @param {import("@octokit/request").request} request
  */
 export async function post(core, request) {
+  const skipTokenRevoke = Boolean(core.getInput("skip_token_revoke"));
+
+  if (skipTokenRevoke) {
+    core.info("Token revocation was skipped");
+    return;
+  }
+
   const token = core.getState("token");
 
-  if (!token) return;
-  
+  if (!token) {
+    core.info("Token is not set");
+    return;
+  }
+
   await request("DELETE /installation/token", {
     headers: {
       authorization: `token ${token}`,

lib/request.js

@@ -0,0 +1,8 @@
+import { request } from "@octokit/request";
+
+export default request.defaults({
+  baseUrl: process.env["GITHUB_API_URL"],
+  headers: {
+    "user-agent": "actions/create-github-app-token",
+  },
+});

main.js

@@ -2,22 +2,37 @@
 
 import core from "@actions/core";
 import { createAppAuth } from "@octokit/auth-app";
-import { request } from "@octokit/request";
 
 import { main } from "./lib/main.js";
+import request from "./lib/request.js";
 
 if (!process.env.GITHUB_REPOSITORY) {
   throw new Error("GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'");
 }
 
+if (!process.env.GITHUB_REPOSITORY_OWNER) {
+  throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
+}
+
 const appId = core.getInput("app_id");
 const privateKey = core.getInput("private_key");
+const owner = core.getInput("owner");
+const repositories = core.getInput("repositories");
 
-const repository = process.env.GITHUB_REPOSITORY;
+const skipTokenRevoke = Boolean(core.getInput("skip_token_revoke"));
 
-main(appId, privateKey, repository, core, createAppAuth, request).catch(
-  (error) => {
-    console.error(error);
-    core.setFailed(error.message);
-  }
-);
+main(
+  appId,
+  privateKey,
+  owner,
+  repositories,
+  core,
+  createAppAuth,
+  request.defaults({
+    baseUrl: process.env["GITHUB_API_URL"],
+  }),
+  skipTokenRevoke
+).catch((error) => {
+  console.error(error);
+  core.setFailed(error.message);
+});

package.json

@@ -2,21 +2,24 @@
   "name": "create-github-app-token",
   "private": true,
   "type": "module",
-  "version": "1.1.5",
+  "version": "1.4.0",
   "description": "GitHub Action for creating a GitHub App Installation Access Token",
   "scripts": {
     "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node16.16",
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "test": "ava tests/index.js"
   },
   "license": "MIT",
   "dependencies": {
-    "@actions/core": "^1.10.0",
-    "@octokit/auth-app": "^6.0.0",
-    "@octokit/request": "^8.1.1"
+    "@actions/core": "^1.10.1",
+    "@octokit/auth-app": "^6.0.1",
+    "@octokit/request": "^8.1.2"
   },
   "devDependencies": {
+    "ava": "^5.3.1",
     "dotenv": "^16.3.1",
-    "esbuild": "^0.19.2"
+    "esbuild": "^0.19.4",
+    "execa": "^8.0.1",
+    "undici": "^5.25.2"
   },
   "release": {
     "branches": [

post.js

@@ -1,13 +1,16 @@
 // @ts-check
 
 import core from "@actions/core";
-import { request } from "@octokit/request";
 
 import { post } from "./lib/post.js";
+import request from "./lib/request.js";
 
-post(core, request).catch(
-  (error) => {
-    console.error(error);
-    core.setFailed(error.message);
-  }
-);
+post(
+  core,
+  request.defaults({
+    baseUrl: process.env["GITHUB_API_URL"],
+  })
+).catch((error) => {
+  console.error(error);
+  core.setFailed(error.message);
+});

tests/README.md

@@ -0,0 +1,19 @@
+# Tests
+
+Add one test file per scenario. You can run them in isolation with:
+
+```bash
+node tests/post-token-set.test.js
+```
+
+All tests are run together in [tests/index.js](index.js), which can be executed with ava
+
+```
+npx ava tests/index.js
+```
+
+or with npm
+
+```
+npm test
+```

tests/index.js

@@ -0,0 +1,14 @@
+import { readdirSync } from "node:fs";
+
+import { execa } from "execa";
+import test from "ava";
+
+const tests = readdirSync("tests").filter((file) => file.endsWith(".test.js"));
+
+for (const file of tests) {
+  test(file, async (t) => {
+    const { stderr, stdout } = await execa("node", [`tests/${file}`]);
+    t.snapshot(stderr, "stderr");
+    t.snapshot(stdout, "stdout");
+  });
+}

tests/post-token-set.test.js

@@ -0,0 +1,25 @@
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+process.env.STATE_token = "secret123";
+
+const mockAgent = new MockAgent();
+
+setGlobalDispatcher(mockAgent);
+
+// Provide the base url to the request
+const mockPool = mockAgent.get("https://api.github.com");
+
+// intercept the request
+mockPool
+  .intercept({
+    path: "/installation/token",
+    method: "DELETE",
+    headers: {
+      authorization: "token secret123",
+    },
+  })
+  .reply(204);
+
+await import("../post.js");

tests/post-token-skipped.test.js

@@ -0,0 +1,29 @@
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+process.env.STATE_token = "secret123";
+
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env.INPUT_SKIP_TOKEN_REVOKE = "true";
+
+const mockAgent = new MockAgent();
+
+setGlobalDispatcher(mockAgent);
+
+// Provide the base url to the request
+const mockPool = mockAgent.get("https://api.github.com");
+
+// intercept the request
+mockPool
+  .intercept({
+    path: "/installation/token",
+    method: "DELETE",
+    headers: {
+      authorization: "token secret123",
+    },
+  })
+  .reply(204);
+
+await import("../post.js");

tests/post-token-unset.test.js

@@ -0,0 +1,5 @@
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+delete process.env.STATE_token;
+
+await import("../post.js");

tests/snapshots/index.js.md

@@ -0,0 +1,35 @@
+# Snapshot report for `tests/index.js`
+
+The actual snapshot is saved in `index.js.snap`.
+
+Generated by [AVA](https://avajs.dev).
+
+## post-token-set.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    'Token revoked'
+
+## post-token-skipped.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    'Token revocation was skipped'
+
+## post-token-unset.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    'Token is not set'