build(release): 1.11.0 [skip ci]

# [1.11.0](https://github.com/actions/create-github-app-token/compare/v1.10.4...v1.11.0) (2024-09-11)

### Features

* allow repositories input to be comma or newline-separated ([#169](https://github.com/actions/create-github-app-token/issues/169)) ([796b88d](https://github.com/actions/create-github-app-token/commit/796b88dc585016182c9da7fa3e5dfe98e0a9b19f))

.github/workflows/test.yml

@@ -5,6 +5,7 @@ on:
     branches:
       - main
   pull_request:
+  workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

README.md

@@ -79,14 +79,14 @@ jobs:
           # required
           app-id: ${{ vars.APP_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
-      - name: Retrieve GitHub App User ID
+      - name: Get GitHub App User ID
         id: get-user-id
-        run: echo "user-id=$(gh api "/users/${{ steps.generate-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
       - id: committer
-        run: echo "string=${{steps.app-token.outputs.app-slug}}[bot] <${{steps.get-user-id.outputs.user-id}}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"  >> "$GITHUB_OUTPUT"
-      - run: echo "committer string is ${{steps.committer.outputs.string}}"
+        run: echo "string=${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"  >> "$GITHUB_OUTPUT"
+      - run: echo "committer string is ${ {steps.committer.outputs.string }}"
 ```
 
 ### Configure git CLI for an app's bot user
@@ -104,14 +104,14 @@ jobs:
           # required
           app-id: ${{ vars.APP_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
-      - name: Retrieve GitHub App User ID
+      - name: Get GitHub App User ID
         id: get-user-id
-        run: echo "user-id=$(gh api "/users/${{ steps.generate-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
       - run: |
-          git config --global user.name '${{steps.app-token.outputs.app-slug}}[bot]'
-          git config --global user.email '${{steps.get-user-id.outputs.user-id}}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
       # git commands like commit work using the bot user
       - run: |
           git add .
@@ -119,8 +119,12 @@ jobs:
           git push
 ```
 
-The `<BOT USER ID>` is the numeric user ID of the app's bot user, which can be found under `https://api.github.com/users/<app-slug>%5Bbot%5D`.
-For example, we can check at `https://api.github.com/users/dependabot%5Bbot%5D` to see the user ID of dependabot is 49699333.
+> [!TIP]
+> The `<BOT USER ID>` is the numeric user ID of the app's bot user, which can be found under `https://api.github.com/users/<app-slug>%5Bbot%5D`.
+> 
+> For example, we can check at `https://api.github.com/users/dependabot[bot]` to see the user ID of Dependabot is 49699333.
+>
+> Alternatively, you can use the [octokit/request-action](https://github.com/octokit/request-action) to get the ID.
 
 ### Create a token for all repositories in the current owner's installation
 
@@ -159,7 +163,9 @@ jobs:
           app-id: ${{ vars.APP_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
-          repositories: "repo1,repo2"
+          repositories: |
+            repo1
+            repo2
       - uses: peter-evans/create-or-update-comment@v3
         with:
           token: ${{ steps.app-token.outputs.token }}
@@ -203,7 +209,7 @@ jobs:
   set-matrix:
     runs-on: ubuntu-latest
     outputs:
-      matrix: ${{steps.set.outputs.matrix }}
+      matrix: ${{ steps.set.outputs.matrix }}
     steps:
       - id: set
         run: echo 'matrix=[{"owner":"owner1"},{"owner":"owner2","repos":["repo1"]}]' >>"$GITHUB_OUTPUT"
@@ -274,13 +280,31 @@ jobs:
 
 **Required:** GitHub App private key. Escaped newlines (`\\n`) will be automatically replaced with actual newlines.
 
+Some other actions may require the private key to be Base64 encoded. To avoid recreating a new secret, it can be decoded on the fly, but it needs to be managed securely. Here is an example of how this can be achieved:
+
+```yaml
+steps:
+  - name: Decode the GitHub App Private Key
+    id: decode
+    run: |
+      private_key=$(echo "${{ secrets.PRIVATE_KEY }}" | base64 -d | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2) &> /dev/null
+      echo "::add-mask::$private_key"
+      echo "private-key=$private_key" >> "$GITHUB_OUTPUT"
+  - name: Generate GitHub App Token
+    id: app-token
+    uses: actions/create-github-app-token@v1
+    with:
+      app-id: ${{ vars.APP_ID }}
+      private-key: ${{ steps.decode.outputs.private-key }}
+```
+
 ### `owner`
 
 **Optional:** The owner of the GitHub App installation. If empty, defaults to the current repository owner.
 
 ### `repositories`
 
-**Optional:** Comma-separated list of repositories to grant access to.
+**Optional:** Comma or newline-separated list of repositories to grant access to.
 
 > [!NOTE]
 > If `owner` is set and `repositories` is empty, access will be scoped to all repositories in the provided repository owner's installation. If `owner` and `repositories` are empty, access will be scoped to only the current repository.

action.yml

@@ -23,7 +23,7 @@ inputs:
     description: "The owner of the GitHub App installation (defaults to current repository owner)"
     required: false
   repositories:
-    description: "Repositories to install the GitHub App on (defaults to current repository if owner is unset)"
+    description: "Comma or newline-separated list of repositories to install the GitHub App on (defaults to current repository if owner is unset)"
     required: false
   skip-token-revoke:
     description: "If truthy, the token will not be revoked when the current job is complete"

dist/main.cjs

@@ -2239,6 +2239,7 @@ var require_decodeText = __commonJS({
             return decoders.utf8;
           case "latin1":
           case "ascii":
+          // TODO: Make these a separate, strict decoder?
           case "us-ascii":
           case "iso-8859-1":
           case "iso8859-1":
@@ -2938,6 +2939,7 @@ var require_basename = __commonJS({
       for (var i = path.length - 1; i >= 0; --i) {
         switch (path.charCodeAt(i)) {
           case 47:
+          // '/'
           case 92:
             path = path.slice(i + 1);
             return path === ".." || path === "." ? "" : path;
@@ -4172,7 +4174,21 @@ var require_util2 = __commonJS({
           return referrerOrigin;
         }
         case "strict-origin":
+        // eslint-disable-line
+        /**
+           * 1. If referrerURL is a potentially trustworthy URL and
+           * request’s current URL is not a potentially trustworthy URL,
+           * then return no referrer.
+           * 2. Return referrerOrigin
+          */
         case "no-referrer-when-downgrade":
+        // eslint-disable-line
+        /**
+         * 1. If referrerURL is a potentially trustworthy URL and
+         * request’s current URL is not a potentially trustworthy URL,
+         * then return no referrer.
+         * 2. Return referrerOrigin
+        */
         default:
           return isNonPotentiallyTrustWorthy ? "no-referrer" : referrerOrigin;
       }
@@ -22785,7 +22801,21 @@ var require_util9 = __commonJS({
           return referrerOrigin;
         }
         case "strict-origin":
+        // eslint-disable-line
+        /**
+           * 1. If referrerURL is a potentially trustworthy URL and
+           * request’s current URL is not a potentially trustworthy URL,
+           * then return no referrer.
+           * 2. Return referrerOrigin
+          */
         case "no-referrer-when-downgrade":
+        // eslint-disable-line
+        /**
+         * 1. If referrerURL is a potentially trustworthy URL and
+         * request’s current URL is not a potentially trustworthy URL,
+         * then return no referrer.
+         * 2. Return referrerOrigin
+        */
         default:
           return isNonPotentiallyTrustWorthy ? "no-referrer" : referrerOrigin;
       }
@@ -23887,11 +23917,23 @@ var require_body2 = __commonJS({
     var { webidl } = require_webidl2();
     var { Blob: Blob2 } = require("node:buffer");
     var assert = require("node:assert");
-    var { isErrored } = require_util8();
+    var { isErrored, isDisturbed } = require("node:stream");
     var { isArrayBuffer } = require("node:util/types");
     var { serializeAMimeType } = require_data_url();
     var { multipartFormDataParser } = require_formdata_parser();
     var textEncoder = new TextEncoder();
+    function noop() {
+    }
+    var hasFinalizationRegistry = globalThis.FinalizationRegistry && process.version.indexOf("v18") !== 0;
+    var streamRegistry;
+    if (hasFinalizationRegistry) {
+      streamRegistry = new FinalizationRegistry((weakRef) => {
+        const stream = weakRef.deref();
+        if (stream && !stream.locked && !isDisturbed(stream) && !isErrored(stream)) {
+          stream.cancel("Response object has been garbage collected").catch(noop);
+        }
+      });
+    }
     function extractBody(object, keepalive = false) {
       let stream = null;
       if (object instanceof ReadableStream) {
@@ -24034,8 +24076,11 @@ Content-Type: ${value.type || "application/octet-stream"}\r
       }
       return extractBody(object, keepalive);
     }
-    function cloneBody(body) {
+    function cloneBody(instance, body) {
       const [out1, out2] = body.stream.tee();
+      if (hasFinalizationRegistry) {
+        streamRegistry.register(instance, new WeakRef(out1));
+      }
       body.stream = out1;
       return {
         stream: out2,
@@ -24114,7 +24159,7 @@ Content-Type: ${value.type || "application/octet-stream"}\r
     }
     async function consumeBody(object, convertBytesToJSValue, instance) {
       webidl.brandCheck(object, instance);
-      if (bodyUnusable(object[kState].body)) {
+      if (bodyUnusable(object)) {
         throw new TypeError("Body is unusable: Body has already been read");
       }
       throwIfAborted(object[kState]);
@@ -24134,7 +24179,8 @@ Content-Type: ${value.type || "application/octet-stream"}\r
       await fullyReadBody(object[kState].body, successSteps, errorSteps);
       return promise.promise;
     }
-    function bodyUnusable(body) {
+    function bodyUnusable(object) {
+      const body = object[kState].body;
       return body != null && (body.stream.locked || util.isDisturbed(body.stream));
     }
     function parseJSONFromBytes(bytes) {
@@ -24152,7 +24198,10 @@ Content-Type: ${value.type || "application/octet-stream"}\r
       extractBody,
       safelyExtractBody,
       cloneBody,
-      mixinBody
+      mixinBody,
+      streamRegistry,
+      hasFinalizationRegistry,
+      bodyUnusable
     };
   }
 });
@@ -26706,8 +26755,13 @@ var require_balanced_pool2 = __commonJS({
     var kMaxWeightPerServer = Symbol("kMaxWeightPerServer");
     var kErrorPenalty = Symbol("kErrorPenalty");
     function getGreatestCommonDivisor(a, b) {
-      if (b === 0) return a;
-      return getGreatestCommonDivisor(b, a % b);
+      if (a === 0) return b;
+      while (b !== 0) {
+        const t = b;
+        b = a % b;
+        a = t;
+      }
+      return a;
     }
     function defaultFactory(origin, opts) {
       return new Pool(origin, opts);
@@ -26761,7 +26815,11 @@ var require_balanced_pool2 = __commonJS({
         return this;
       }
       _updateBalancedPoolStats() {
-        this[kGreatestCommonDivisor] = this[kClients].map((p) => p[kWeight]).reduce(getGreatestCommonDivisor, 0);
+        let result = 0;
+        for (let i = 0; i < this[kClients].length; i++) {
+          result = getGreatestCommonDivisor(this[kClients][i][kWeight], result);
+        }
+        this[kGreatestCommonDivisor] = result;
       }
       removeUpstream(upstream) {
         const upstreamOrigin = parseOrigin(upstream).origin;
@@ -30146,7 +30204,7 @@ var require_response2 = __commonJS({
   "node_modules/undici/lib/web/fetch/response.js"(exports2, module2) {
     "use strict";
     var { Headers, HeadersList, fill, getHeadersGuard, setHeadersGuard, setHeadersList } = require_headers2();
-    var { extractBody, cloneBody, mixinBody } = require_body2();
+    var { extractBody, cloneBody, mixinBody, hasFinalizationRegistry, streamRegistry, bodyUnusable } = require_body2();
     var util = require_util8();
     var nodeUtil = require("node:util");
     var { kEnumerableProperty } = util;
@@ -30171,19 +30229,7 @@ var require_response2 = __commonJS({
     var { kConstruct } = require_symbols6();
     var assert = require("node:assert");
     var { types } = require("node:util");
-    var { isDisturbed, isErrored } = require("node:stream");
     var textEncoder = new TextEncoder("utf-8");
-    var hasFinalizationRegistry = globalThis.FinalizationRegistry && process.version.indexOf("v18") !== 0;
-    var registry;
-    if (hasFinalizationRegistry) {
-      registry = new FinalizationRegistry((stream) => {
-        if (!stream.locked && !isDisturbed(stream) && !isErrored(stream)) {
-          stream.cancel("Response object has been garbage collected").catch(noop);
-        }
-      });
-    }
-    function noop() {
-    }
     var Response = class _Response {
       // Creates network error Response.
       static error() {
@@ -30295,7 +30341,7 @@ var require_response2 = __commonJS({
       // Returns a clone of response.
       clone() {
         webidl.brandCheck(this, _Response);
-        if (this.bodyUsed || this.body?.locked) {
+        if (bodyUnusable(this)) {
           throw webidl.errors.exception({
             header: "Response.clone",
             message: "Body has already been consumed."
@@ -30354,7 +30400,7 @@ var require_response2 = __commonJS({
       }
       const newResponse = makeResponse({ ...response, body: null });
       if (response.body != null) {
-        newResponse.body = cloneBody(response.body);
+        newResponse.body = cloneBody(newResponse, response.body);
       }
       return newResponse;
     }
@@ -30479,7 +30525,7 @@ var require_response2 = __commonJS({
       setHeadersList(response[kHeaders], innerResponse.headersList);
       setHeadersGuard(response[kHeaders], guard);
       if (hasFinalizationRegistry && innerResponse.body?.stream) {
-        registry.register(response, innerResponse.body.stream);
+        streamRegistry.register(response, new WeakRef(innerResponse.body.stream));
       }
       return response;
     }
@@ -30594,7 +30640,7 @@ var require_dispatcher_weakref2 = __commonJS({
 var require_request4 = __commonJS({
   "node_modules/undici/lib/web/fetch/request.js"(exports2, module2) {
     "use strict";
-    var { extractBody, mixinBody, cloneBody } = require_body2();
+    var { extractBody, mixinBody, cloneBody, bodyUnusable } = require_body2();
     var { Headers, fill: fillHeaders, HeadersList, setHeadersGuard, getHeadersGuard, setHeadersList, getHeadersList } = require_headers2();
     var { FinalizationRegistry: FinalizationRegistry2 } = require_dispatcher_weakref2()();
     var util = require_util8();
@@ -30915,7 +30961,7 @@ var require_request4 = __commonJS({
         }
         let finalBody = inputOrInitBody;
         if (initBody == null && inputBody != null) {
-          if (util.isDisturbed(inputBody.stream) || inputBody.stream.locked) {
+          if (bodyUnusable(input)) {
             throw new TypeError(
               "Cannot construct a Request with a Request object that has already been used."
             );
@@ -31050,7 +31096,7 @@ var require_request4 = __commonJS({
       // Returns a clone of request.
       clone() {
         webidl.brandCheck(this, _Request);
-        if (this.bodyUsed || this.body?.locked) {
+        if (bodyUnusable(this)) {
           throw new TypeError("unusable");
         }
         const clonedRequest = cloneRequest(this[kState]);
@@ -31143,7 +31189,7 @@ var require_request4 = __commonJS({
     function cloneRequest(request2) {
       const newRequest = makeRequest({ ...request2, body: null });
       if (request2.body != null) {
-        newRequest.body = cloneBody(request2.body);
+        newRequest.body = cloneBody(newRequest, request2.body);
       }
       return newRequest;
     }
@@ -36957,132 +37003,116 @@ var RequestError = class extends Error {
 
 // node_modules/@octokit/request/dist-bundle/index.js
 var VERSION2 = "0.0.0-development";
+var defaults_default = {
+  headers: {
+    "user-agent": `octokit-request.js/${VERSION2} ${getUserAgent()}`
+  }
+};
 function isPlainObject2(value) {
-  if (typeof value !== "object" || value === null)
-    return false;
-  if (Object.prototype.toString.call(value) !== "[object Object]")
-    return false;
+  if (typeof value !== "object" || value === null) return false;
+  if (Object.prototype.toString.call(value) !== "[object Object]") return false;
   const proto = Object.getPrototypeOf(value);
-  if (proto === null)
-    return true;
+  if (proto === null) return true;
   const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
   return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
 }
-function getBufferResponse(response) {
-  return response.arrayBuffer();
-}
-function fetchWrapper(requestOptions) {
-  const log = requestOptions.request && requestOptions.request.log ? requestOptions.request.log : console;
-  const parseSuccessResponseBody = requestOptions.request?.parseSuccessResponseBody !== false;
-  if (isPlainObject2(requestOptions.body) || Array.isArray(requestOptions.body)) {
-    requestOptions.body = JSON.stringify(requestOptions.body);
-  }
-  let headers = {};
-  let status;
-  let url;
-  let { fetch } = globalThis;
-  if (requestOptions.request?.fetch) {
-    fetch = requestOptions.request.fetch;
-  }
+async function fetchWrapper(requestOptions) {
+  const fetch = requestOptions.request?.fetch || globalThis.fetch;
   if (!fetch) {
     throw new Error(
       "fetch is not set. Please pass a fetch implementation as new Octokit({ request: { fetch }}). Learn more at https://github.com/octokit/octokit.js/#fetch-missing"
     );
   }
-  return fetch(requestOptions.url, {
-    method: requestOptions.method,
-    body: requestOptions.body,
-    redirect: requestOptions.request?.redirect,
-    // Header values must be `string`
-    headers: Object.fromEntries(
-      Object.entries(requestOptions.headers).map(([name, value]) => [
-        name,
-        String(value)
-      ])
-    ),
-    signal: requestOptions.request?.signal,
-    // duplex must be set if request.body is ReadableStream or Async Iterables.
-    // See https://fetch.spec.whatwg.org/#dom-requestinit-duplex.
-    ...requestOptions.body && { duplex: "half" }
-  }).then(async (response) => {
-    url = response.url;
-    status = response.status;
-    for (const keyAndValue of response.headers) {
-      headers[keyAndValue[0]] = keyAndValue[1];
-    }
-    if ("deprecation" in headers) {
-      const matches = headers.link && headers.link.match(/<([^>]+)>; rel="deprecation"/);
-      const deprecationLink = matches && matches.pop();
-      log.warn(
-        `[@octokit/request] "${requestOptions.method} ${requestOptions.url}" is deprecated. It is scheduled to be removed on ${headers.sunset}${deprecationLink ? `. See ${deprecationLink}` : ""}`
-      );
-    }
-    if (status === 204 || status === 205) {
-      return;
-    }
-    if (requestOptions.method === "HEAD") {
-      if (status < 400) {
-        return;
+  const log = requestOptions.request?.log || console;
+  const parseSuccessResponseBody = requestOptions.request?.parseSuccessResponseBody !== false;
+  const body = isPlainObject2(requestOptions.body) || Array.isArray(requestOptions.body) ? JSON.stringify(requestOptions.body) : requestOptions.body;
+  const requestHeaders = Object.fromEntries(
+    Object.entries(requestOptions.headers).map(([name, value]) => [
+      name,
+      String(value)
+    ])
+  );
+  let fetchResponse;
+  try {
+    fetchResponse = await fetch(requestOptions.url, {
+      method: requestOptions.method,
+      body,
+      redirect: requestOptions.request?.redirect,
+      headers: requestHeaders,
+      signal: requestOptions.request?.signal,
+      // duplex must be set if request.body is ReadableStream or Async Iterables.
+      // See https://fetch.spec.whatwg.org/#dom-requestinit-duplex.
+      ...requestOptions.body && { duplex: "half" }
+    });
+  } catch (error) {
+    let message = "Unknown Error";
+    if (error instanceof Error) {
+      if (error.name === "AbortError") {
+        error.status = 500;
+        throw error;
       }
-      throw new RequestError(response.statusText, status, {
-        response: {
-          url,
-          status,
-          headers,
-          data: void 0
-        },
-        request: requestOptions
-      });
-    }
-    if (status === 304) {
-      throw new RequestError("Not modified", status, {
-        response: {
-          url,
-          status,
-          headers,
-          data: await getResponseData(response)
-        },
-        request: requestOptions
-      });
-    }
-    if (status >= 400) {
-      const data = await getResponseData(response);
-      const error = new RequestError(toErrorMessage(data), status, {
-        response: {
-          url,
-          status,
-          headers,
-          data
-        },
-        request: requestOptions
-      });
-      throw error;
-    }
-    return parseSuccessResponseBody ? await getResponseData(response) : response.body;
-  }).then((data) => {
-    return {
-      status,
-      url,
-      headers,
-      data
-    };
-  }).catch((error) => {
-    if (error instanceof RequestError)
-      throw error;
-    else if (error.name === "AbortError")
-      throw error;
-    let message = error.message;
-    if (error.name === "TypeError" && "cause" in error) {
-      if (error.cause instanceof Error) {
-        message = error.cause.message;
-      } else if (typeof error.cause === "string") {
-        message = error.cause;
+      message = error.message;
+      if (error.name === "TypeError" && "cause" in error) {
+        if (error.cause instanceof Error) {
+          message = error.cause.message;
+        } else if (typeof error.cause === "string") {
+          message = error.cause;
+        }
       }
     }
-    throw new RequestError(message, 500, {
+    const requestError = new RequestError(message, 500, {
       request: requestOptions
     });
-  });
+    requestError.cause = error;
+    throw requestError;
+  }
+  const status = fetchResponse.status;
+  const url = fetchResponse.url;
+  const responseHeaders = {};
+  for (const [key, value] of fetchResponse.headers) {
+    responseHeaders[key] = value;
+  }
+  const octokitResponse = {
+    url,
+    status,
+    headers: responseHeaders,
+    data: ""
+  };
+  if ("deprecation" in responseHeaders) {
+    const matches = responseHeaders.link && responseHeaders.link.match(/<([^>]+)>; rel="deprecation"/);
+    const deprecationLink = matches && matches.pop();
+    log.warn(
+      `[@octokit/request] "${requestOptions.method} ${requestOptions.url}" is deprecated. It is scheduled to be removed on ${responseHeaders.sunset}${deprecationLink ? `. See ${deprecationLink}` : ""}`
+    );
+  }
+  if (status === 204 || status === 205) {
+    return octokitResponse;
+  }
+  if (requestOptions.method === "HEAD") {
+    if (status < 400) {
+      return octokitResponse;
+    }
+    throw new RequestError(fetchResponse.statusText, status, {
+      response: octokitResponse,
+      request: requestOptions
+    });
+  }
+  if (status === 304) {
+    octokitResponse.data = await getResponseData(fetchResponse);
+    throw new RequestError("Not modified", status, {
+      response: octokitResponse,
+      request: requestOptions
+    });
+  }
+  if (status >= 400) {
+    octokitResponse.data = await getResponseData(fetchResponse);
+    throw new RequestError(toErrorMessage(octokitResponse.data), status, {
+      response: octokitResponse,
+      request: requestOptions
+    });
+  }
+  octokitResponse.data = parseSuccessResponseBody ? await getResponseData(fetchResponse) : fetchResponse.body;
+  return octokitResponse;
 }
 async function getResponseData(response) {
   const contentType = response.headers.get("content-type");
@@ -37092,22 +37122,18 @@ async function getResponseData(response) {
   if (!contentType || /^text\/|charset=utf-8$/.test(contentType)) {
     return response.text();
   }
-  return getBufferResponse(response);
+  return response.arrayBuffer();
 }
 function toErrorMessage(data) {
-  if (typeof data === "string")
+  if (typeof data === "string") {
     return data;
-  let suffix;
-  if ("documentation_url" in data) {
-    suffix = ` - ${data.documentation_url}`;
-  } else {
-    suffix = "";
+  }
+  if (data instanceof ArrayBuffer) {
+    return "Unknown error";
   }
   if ("message" in data) {
-    if (Array.isArray(data.errors)) {
-      return `${data.message}: ${data.errors.map(JSON.stringify).join(", ")}${suffix}`;
-    }
-    return `${data.message}${suffix}`;
+    const suffix = "documentation_url" in data ? ` - ${data.documentation_url}` : "";
+    return Array.isArray(data.errors) ? `${data.message}: ${data.errors.map((v) => JSON.stringify(v)).join(", ")}${suffix}` : `${data.message}${suffix}`;
   }
   return `Unknown error: ${JSON.stringify(data)}`;
 }
@@ -37134,11 +37160,7 @@ function withDefaults2(oldEndpoint, newDefaults) {
     defaults: withDefaults2.bind(null, endpoint2)
   });
 }
-var request = withDefaults2(endpoint, {
-  headers: {
-    "user-agent": `octokit-request.js/${VERSION2} ${getUserAgent()}`
-  }
-});
+var request = withDefaults2(endpoint, defaults_default);
 
 // node_modules/@octokit/oauth-methods/dist-bundle/index.js
 function requestToOAuthBaseUrl(request2) {
@@ -39484,7 +39506,7 @@ async function hook4(state, request2, route, parameters) {
     state,
     // @ts-expect-error TBD
     {},
-    request2
+    request2.defaults({ baseUrl: endpoint2.baseUrl })
   );
   endpoint2.headers.authorization = `token ${token}`;
   return sendRequestWithRetries(
@@ -39517,7 +39539,7 @@ async function sendRequestWithRetries(state, request2, options, createdAt, retri
     return sendRequestWithRetries(state, request2, options, createdAt, retries);
   }
 }
-var VERSION6 = "7.1.0";
+var VERSION6 = "7.1.1";
 function createAppAuth(options) {
   if (!options.appId) {
     throw new Error("[@octokit/auth-app] appId option is required");
@@ -39678,33 +39700,35 @@ async function pRetry(input, options) {
 // lib/main.js
 async function main(appId2, privateKey2, owner2, repositories2, core3, createAppAuth2, request2, skipTokenRevoke2) {
   let parsedOwner = "";
-  let parsedRepositoryNames = "";
-  if (!owner2 && !repositories2) {
-    [parsedOwner, parsedRepositoryNames] = String(
+  let parsedRepositoryNames = [];
+  if (!owner2 && repositories2.length === 0) {
+    const [owner3, repo] = String(
       process.env.GITHUB_REPOSITORY
     ).split("/");
+    parsedOwner = owner3;
+    parsedRepositoryNames = [repo];
     core3.info(
-      `owner and repositories not set, creating token for the current repository ("${parsedRepositoryNames}")`
+      `owner and repositories not set, creating token for the current repository ("${repo}")`
     );
   }
-  if (owner2 && !repositories2) {
+  if (owner2 && repositories2.length === 0) {
     parsedOwner = owner2;
     core3.info(
       `repositories not set, creating token for all repositories for given owner "${owner2}"`
     );
   }
-  if (!owner2 && repositories2) {
+  if (!owner2 && repositories2.length > 0) {
     parsedOwner = String(process.env.GITHUB_REPOSITORY_OWNER);
     parsedRepositoryNames = repositories2;
     core3.info(
-      `owner not set, creating owner for given repositories "${repositories2}" in current owner ("${parsedOwner}")`
+      `owner not set, creating owner for given repositories "${repositories2.join(",")}" in current owner ("${parsedOwner}")`
     );
   }
-  if (owner2 && repositories2) {
+  if (owner2 && repositories2.length > 0) {
     parsedOwner = owner2;
     parsedRepositoryNames = repositories2;
     core3.info(
-      `owner and repositories set, creating token for repositories "${repositories2}" owned by "${owner2}"`
+      `owner and repositories set, creating token for repositories "${repositories2.join(",")}" owned by "${owner2}"`
     );
   }
   const auth5 = createAppAuth2({
@@ -39713,11 +39737,11 @@ async function main(appId2, privateKey2, owner2, repositories2, core3, createApp
     request: request2
   });
   let authentication, installationId, appSlug;
-  if (parsedRepositoryNames) {
+  if (parsedRepositoryNames.length > 0) {
     ({ authentication, installationId, appSlug } = await pRetry(() => getTokenFromRepository(request2, auth5, parsedOwner, parsedRepositoryNames), {
       onFailedAttempt: (error) => {
         core3.info(
-          `Failed to create token for "${parsedRepositoryNames}" (attempt ${error.attemptNumber}): ${error.message}`
+          `Failed to create token for "${parsedRepositoryNames.join(",")}" (attempt ${error.attemptNumber}): ${error.message}`
         );
       },
       retries: 3
@@ -39767,7 +39791,7 @@ async function getTokenFromOwner(request2, auth5, parsedOwner) {
 async function getTokenFromRepository(request2, auth5, parsedOwner, parsedRepositoryNames) {
   const response = await request2("GET /repos/{owner}/{repo}/installation", {
     owner: parsedOwner,
-    repo: parsedRepositoryNames.split(",")[0],
+    repo: parsedRepositoryNames[0],
     request: {
       hook: auth5.hook
     }
@@ -39775,7 +39799,7 @@ async function getTokenFromRepository(request2, auth5, parsedOwner, parsedReposi
   const authentication = await auth5({
     type: "installation",
     installationId: response.data.id,
-    repositoryNames: parsedRepositoryNames.split(",")
+    repositoryNames: parsedRepositoryNames
   });
   const installationId = response.data.id;
   const appSlug = response.data["app_slug"];
@@ -39825,7 +39849,7 @@ if (!privateKey) {
   throw new Error("Input required and not supplied: private-key");
 }
 var owner = import_core2.default.getInput("owner");
-var repositories = import_core2.default.getInput("repositories");
+var repositories = import_core2.default.getInput("repositories").split(/[\n,]+/).map((s) => s.trim()).filter((x) => x !== "");
 var skipTokenRevoke = Boolean(
   import_core2.default.getInput("skip-token-revoke") || import_core2.default.getInput("skip_token_revoke")
 );

dist/post.cjs

@@ -2238,6 +2238,7 @@ var require_decodeText = __commonJS({
             return decoders.utf8;
           case "latin1":
           case "ascii":
+          // TODO: Make these a separate, strict decoder?
           case "us-ascii":
           case "iso-8859-1":
           case "iso8859-1":
@@ -2937,6 +2938,7 @@ var require_basename = __commonJS({
       for (var i = path.length - 1; i >= 0; --i) {
         switch (path.charCodeAt(i)) {
           case 47:
+          // '/'
           case 92:
             path = path.slice(i + 1);
             return path === ".." || path === "." ? "" : path;
@@ -4171,7 +4173,21 @@ var require_util2 = __commonJS({
           return referrerOrigin;
         }
         case "strict-origin":
+        // eslint-disable-line
+        /**
+           * 1. If referrerURL is a potentially trustworthy URL and
+           * request’s current URL is not a potentially trustworthy URL,
+           * then return no referrer.
+           * 2. Return referrerOrigin
+          */
         case "no-referrer-when-downgrade":
+        // eslint-disable-line
+        /**
+         * 1. If referrerURL is a potentially trustworthy URL and
+         * request’s current URL is not a potentially trustworthy URL,
+         * then return no referrer.
+         * 2. Return referrerOrigin
+        */
         default:
           return isNonPotentiallyTrustWorthy ? "no-referrer" : referrerOrigin;
       }
@@ -22556,7 +22572,21 @@ var require_util9 = __commonJS({
           return referrerOrigin;
         }
         case "strict-origin":
+        // eslint-disable-line
+        /**
+           * 1. If referrerURL is a potentially trustworthy URL and
+           * request’s current URL is not a potentially trustworthy URL,
+           * then return no referrer.
+           * 2. Return referrerOrigin
+          */
         case "no-referrer-when-downgrade":
+        // eslint-disable-line
+        /**
+         * 1. If referrerURL is a potentially trustworthy URL and
+         * request’s current URL is not a potentially trustworthy URL,
+         * then return no referrer.
+         * 2. Return referrerOrigin
+        */
         default:
           return isNonPotentiallyTrustWorthy ? "no-referrer" : referrerOrigin;
       }
@@ -23658,11 +23688,23 @@ var require_body2 = __commonJS({
     var { webidl } = require_webidl2();
     var { Blob: Blob2 } = require("node:buffer");
     var assert = require("node:assert");
-    var { isErrored } = require_util8();
+    var { isErrored, isDisturbed } = require("node:stream");
     var { isArrayBuffer } = require("node:util/types");
     var { serializeAMimeType } = require_data_url();
     var { multipartFormDataParser } = require_formdata_parser();
     var textEncoder = new TextEncoder();
+    function noop() {
+    }
+    var hasFinalizationRegistry = globalThis.FinalizationRegistry && process.version.indexOf("v18") !== 0;
+    var streamRegistry;
+    if (hasFinalizationRegistry) {
+      streamRegistry = new FinalizationRegistry((weakRef) => {
+        const stream = weakRef.deref();
+        if (stream && !stream.locked && !isDisturbed(stream) && !isErrored(stream)) {
+          stream.cancel("Response object has been garbage collected").catch(noop);
+        }
+      });
+    }
     function extractBody(object, keepalive = false) {
       let stream = null;
       if (object instanceof ReadableStream) {
@@ -23805,8 +23847,11 @@ Content-Type: ${value.type || "application/octet-stream"}\r
       }
       return extractBody(object, keepalive);
     }
-    function cloneBody(body) {
+    function cloneBody(instance, body) {
       const [out1, out2] = body.stream.tee();
+      if (hasFinalizationRegistry) {
+        streamRegistry.register(instance, new WeakRef(out1));
+      }
       body.stream = out1;
       return {
         stream: out2,
@@ -23885,7 +23930,7 @@ Content-Type: ${value.type || "application/octet-stream"}\r
     }
     async function consumeBody(object, convertBytesToJSValue, instance) {
       webidl.brandCheck(object, instance);
-      if (bodyUnusable(object[kState].body)) {
+      if (bodyUnusable(object)) {
         throw new TypeError("Body is unusable: Body has already been read");
       }
       throwIfAborted(object[kState]);
@@ -23905,7 +23950,8 @@ Content-Type: ${value.type || "application/octet-stream"}\r
       await fullyReadBody(object[kState].body, successSteps, errorSteps);
       return promise.promise;
     }
-    function bodyUnusable(body) {
+    function bodyUnusable(object) {
+      const body = object[kState].body;
       return body != null && (body.stream.locked || util.isDisturbed(body.stream));
     }
     function parseJSONFromBytes(bytes) {
@@ -23923,7 +23969,10 @@ Content-Type: ${value.type || "application/octet-stream"}\r
       extractBody,
       safelyExtractBody,
       cloneBody,
-      mixinBody
+      mixinBody,
+      streamRegistry,
+      hasFinalizationRegistry,
+      bodyUnusable
     };
   }
 });
@@ -26477,8 +26526,13 @@ var require_balanced_pool2 = __commonJS({
     var kMaxWeightPerServer = Symbol("kMaxWeightPerServer");
     var kErrorPenalty = Symbol("kErrorPenalty");
     function getGreatestCommonDivisor(a, b) {
-      if (b === 0) return a;
-      return getGreatestCommonDivisor(b, a % b);
+      if (a === 0) return b;
+      while (b !== 0) {
+        const t = b;
+        b = a % b;
+        a = t;
+      }
+      return a;
     }
     function defaultFactory(origin, opts) {
       return new Pool(origin, opts);
@@ -26532,7 +26586,11 @@ var require_balanced_pool2 = __commonJS({
         return this;
       }
       _updateBalancedPoolStats() {
-        this[kGreatestCommonDivisor] = this[kClients].map((p) => p[kWeight]).reduce(getGreatestCommonDivisor, 0);
+        let result = 0;
+        for (let i = 0; i < this[kClients].length; i++) {
+          result = getGreatestCommonDivisor(this[kClients][i][kWeight], result);
+        }
+        this[kGreatestCommonDivisor] = result;
       }
       removeUpstream(upstream) {
         const upstreamOrigin = parseOrigin(upstream).origin;
@@ -29917,7 +29975,7 @@ var require_response2 = __commonJS({
   "node_modules/undici/lib/web/fetch/response.js"(exports2, module2) {
     "use strict";
     var { Headers, HeadersList, fill, getHeadersGuard, setHeadersGuard, setHeadersList } = require_headers2();
-    var { extractBody, cloneBody, mixinBody } = require_body2();
+    var { extractBody, cloneBody, mixinBody, hasFinalizationRegistry, streamRegistry, bodyUnusable } = require_body2();
     var util = require_util8();
     var nodeUtil = require("node:util");
     var { kEnumerableProperty } = util;
@@ -29942,19 +30000,7 @@ var require_response2 = __commonJS({
     var { kConstruct } = require_symbols6();
     var assert = require("node:assert");
     var { types } = require("node:util");
-    var { isDisturbed, isErrored } = require("node:stream");
     var textEncoder = new TextEncoder("utf-8");
-    var hasFinalizationRegistry = globalThis.FinalizationRegistry && process.version.indexOf("v18") !== 0;
-    var registry;
-    if (hasFinalizationRegistry) {
-      registry = new FinalizationRegistry((stream) => {
-        if (!stream.locked && !isDisturbed(stream) && !isErrored(stream)) {
-          stream.cancel("Response object has been garbage collected").catch(noop);
-        }
-      });
-    }
-    function noop() {
-    }
     var Response = class _Response {
       // Creates network error Response.
       static error() {
@@ -30066,7 +30112,7 @@ var require_response2 = __commonJS({
       // Returns a clone of response.
       clone() {
         webidl.brandCheck(this, _Response);
-        if (this.bodyUsed || this.body?.locked) {
+        if (bodyUnusable(this)) {
           throw webidl.errors.exception({
             header: "Response.clone",
             message: "Body has already been consumed."
@@ -30125,7 +30171,7 @@ var require_response2 = __commonJS({
       }
       const newResponse = makeResponse({ ...response, body: null });
       if (response.body != null) {
-        newResponse.body = cloneBody(response.body);
+        newResponse.body = cloneBody(newResponse, response.body);
       }
       return newResponse;
     }
@@ -30250,7 +30296,7 @@ var require_response2 = __commonJS({
       setHeadersList(response[kHeaders], innerResponse.headersList);
       setHeadersGuard(response[kHeaders], guard);
       if (hasFinalizationRegistry && innerResponse.body?.stream) {
-        registry.register(response, innerResponse.body.stream);
+        streamRegistry.register(response, new WeakRef(innerResponse.body.stream));
       }
       return response;
     }
@@ -30365,7 +30411,7 @@ var require_dispatcher_weakref2 = __commonJS({
 var require_request4 = __commonJS({
   "node_modules/undici/lib/web/fetch/request.js"(exports2, module2) {
     "use strict";
-    var { extractBody, mixinBody, cloneBody } = require_body2();
+    var { extractBody, mixinBody, cloneBody, bodyUnusable } = require_body2();
     var { Headers, fill: fillHeaders, HeadersList, setHeadersGuard, getHeadersGuard, setHeadersList, getHeadersList } = require_headers2();
     var { FinalizationRegistry: FinalizationRegistry2 } = require_dispatcher_weakref2()();
     var util = require_util8();
@@ -30686,7 +30732,7 @@ var require_request4 = __commonJS({
         }
         let finalBody = inputOrInitBody;
         if (initBody == null && inputBody != null) {
-          if (util.isDisturbed(inputBody.stream) || inputBody.stream.locked) {
+          if (bodyUnusable(input)) {
             throw new TypeError(
               "Cannot construct a Request with a Request object that has already been used."
             );
@@ -30821,7 +30867,7 @@ var require_request4 = __commonJS({
       // Returns a clone of request.
       clone() {
         webidl.brandCheck(this, _Request);
-        if (this.bodyUsed || this.body?.locked) {
+        if (bodyUnusable(this)) {
           throw new TypeError("unusable");
         }
         const clonedRequest = cloneRequest(this[kState]);
@@ -30914,7 +30960,7 @@ var require_request4 = __commonJS({
     function cloneRequest(request2) {
       const newRequest = makeRequest({ ...request2, body: null });
       if (request2.body != null) {
-        newRequest.body = cloneBody(request2.body);
+        newRequest.body = cloneBody(newRequest, request2.body);
       }
       return newRequest;
     }
@@ -36769,132 +36815,116 @@ var RequestError = class extends Error {
 
 // node_modules/@octokit/request/dist-bundle/index.js
 var VERSION2 = "0.0.0-development";
+var defaults_default = {
+  headers: {
+    "user-agent": `octokit-request.js/${VERSION2} ${getUserAgent()}`
+  }
+};
 function isPlainObject2(value) {
-  if (typeof value !== "object" || value === null)
-    return false;
-  if (Object.prototype.toString.call(value) !== "[object Object]")
-    return false;
+  if (typeof value !== "object" || value === null) return false;
+  if (Object.prototype.toString.call(value) !== "[object Object]") return false;
   const proto = Object.getPrototypeOf(value);
-  if (proto === null)
-    return true;
+  if (proto === null) return true;
   const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
   return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
 }
-function getBufferResponse(response) {
-  return response.arrayBuffer();
-}
-function fetchWrapper(requestOptions) {
-  const log = requestOptions.request && requestOptions.request.log ? requestOptions.request.log : console;
-  const parseSuccessResponseBody = requestOptions.request?.parseSuccessResponseBody !== false;
-  if (isPlainObject2(requestOptions.body) || Array.isArray(requestOptions.body)) {
-    requestOptions.body = JSON.stringify(requestOptions.body);
-  }
-  let headers = {};
-  let status;
-  let url;
-  let { fetch } = globalThis;
-  if (requestOptions.request?.fetch) {
-    fetch = requestOptions.request.fetch;
-  }
+async function fetchWrapper(requestOptions) {
+  const fetch = requestOptions.request?.fetch || globalThis.fetch;
   if (!fetch) {
     throw new Error(
       "fetch is not set. Please pass a fetch implementation as new Octokit({ request: { fetch }}). Learn more at https://github.com/octokit/octokit.js/#fetch-missing"
     );
   }
-  return fetch(requestOptions.url, {
-    method: requestOptions.method,
-    body: requestOptions.body,
-    redirect: requestOptions.request?.redirect,
-    // Header values must be `string`
-    headers: Object.fromEntries(
-      Object.entries(requestOptions.headers).map(([name, value]) => [
-        name,
-        String(value)
-      ])
-    ),
-    signal: requestOptions.request?.signal,
-    // duplex must be set if request.body is ReadableStream or Async Iterables.
-    // See https://fetch.spec.whatwg.org/#dom-requestinit-duplex.
-    ...requestOptions.body && { duplex: "half" }
-  }).then(async (response) => {
-    url = response.url;
-    status = response.status;
-    for (const keyAndValue of response.headers) {
-      headers[keyAndValue[0]] = keyAndValue[1];
-    }
-    if ("deprecation" in headers) {
-      const matches = headers.link && headers.link.match(/<([^>]+)>; rel="deprecation"/);
-      const deprecationLink = matches && matches.pop();
-      log.warn(
-        `[@octokit/request] "${requestOptions.method} ${requestOptions.url}" is deprecated. It is scheduled to be removed on ${headers.sunset}${deprecationLink ? `. See ${deprecationLink}` : ""}`
-      );
-    }
-    if (status === 204 || status === 205) {
-      return;
-    }
-    if (requestOptions.method === "HEAD") {
-      if (status < 400) {
-        return;
+  const log = requestOptions.request?.log || console;
+  const parseSuccessResponseBody = requestOptions.request?.parseSuccessResponseBody !== false;
+  const body = isPlainObject2(requestOptions.body) || Array.isArray(requestOptions.body) ? JSON.stringify(requestOptions.body) : requestOptions.body;
+  const requestHeaders = Object.fromEntries(
+    Object.entries(requestOptions.headers).map(([name, value]) => [
+      name,
+      String(value)
+    ])
+  );
+  let fetchResponse;
+  try {
+    fetchResponse = await fetch(requestOptions.url, {
+      method: requestOptions.method,
+      body,
+      redirect: requestOptions.request?.redirect,
+      headers: requestHeaders,
+      signal: requestOptions.request?.signal,
+      // duplex must be set if request.body is ReadableStream or Async Iterables.
+      // See https://fetch.spec.whatwg.org/#dom-requestinit-duplex.
+      ...requestOptions.body && { duplex: "half" }
+    });
+  } catch (error) {
+    let message = "Unknown Error";
+    if (error instanceof Error) {
+      if (error.name === "AbortError") {
+        error.status = 500;
+        throw error;
       }
-      throw new RequestError(response.statusText, status, {
-        response: {
-          url,
-          status,
-          headers,
-          data: void 0
-        },
-        request: requestOptions
-      });
-    }
-    if (status === 304) {
-      throw new RequestError("Not modified", status, {
-        response: {
-          url,
-          status,
-          headers,
-          data: await getResponseData(response)
-        },
-        request: requestOptions
-      });
-    }
-    if (status >= 400) {
-      const data = await getResponseData(response);
-      const error = new RequestError(toErrorMessage(data), status, {
-        response: {
-          url,
-          status,
-          headers,
-          data
-        },
-        request: requestOptions
-      });
-      throw error;
-    }
-    return parseSuccessResponseBody ? await getResponseData(response) : response.body;
-  }).then((data) => {
-    return {
-      status,
-      url,
-      headers,
-      data
-    };
-  }).catch((error) => {
-    if (error instanceof RequestError)
-      throw error;
-    else if (error.name === "AbortError")
-      throw error;
-    let message = error.message;
-    if (error.name === "TypeError" && "cause" in error) {
-      if (error.cause instanceof Error) {
-        message = error.cause.message;
-      } else if (typeof error.cause === "string") {
-        message = error.cause;
+      message = error.message;
+      if (error.name === "TypeError" && "cause" in error) {
+        if (error.cause instanceof Error) {
+          message = error.cause.message;
+        } else if (typeof error.cause === "string") {
+          message = error.cause;
+        }
       }
     }
-    throw new RequestError(message, 500, {
+    const requestError = new RequestError(message, 500, {
       request: requestOptions
     });
-  });
+    requestError.cause = error;
+    throw requestError;
+  }
+  const status = fetchResponse.status;
+  const url = fetchResponse.url;
+  const responseHeaders = {};
+  for (const [key, value] of fetchResponse.headers) {
+    responseHeaders[key] = value;
+  }
+  const octokitResponse = {
+    url,
+    status,
+    headers: responseHeaders,
+    data: ""
+  };
+  if ("deprecation" in responseHeaders) {
+    const matches = responseHeaders.link && responseHeaders.link.match(/<([^>]+)>; rel="deprecation"/);
+    const deprecationLink = matches && matches.pop();
+    log.warn(
+      `[@octokit/request] "${requestOptions.method} ${requestOptions.url}" is deprecated. It is scheduled to be removed on ${responseHeaders.sunset}${deprecationLink ? `. See ${deprecationLink}` : ""}`
+    );
+  }
+  if (status === 204 || status === 205) {
+    return octokitResponse;
+  }
+  if (requestOptions.method === "HEAD") {
+    if (status < 400) {
+      return octokitResponse;
+    }
+    throw new RequestError(fetchResponse.statusText, status, {
+      response: octokitResponse,
+      request: requestOptions
+    });
+  }
+  if (status === 304) {
+    octokitResponse.data = await getResponseData(fetchResponse);
+    throw new RequestError("Not modified", status, {
+      response: octokitResponse,
+      request: requestOptions
+    });
+  }
+  if (status >= 400) {
+    octokitResponse.data = await getResponseData(fetchResponse);
+    throw new RequestError(toErrorMessage(octokitResponse.data), status, {
+      response: octokitResponse,
+      request: requestOptions
+    });
+  }
+  octokitResponse.data = parseSuccessResponseBody ? await getResponseData(fetchResponse) : fetchResponse.body;
+  return octokitResponse;
 }
 async function getResponseData(response) {
   const contentType = response.headers.get("content-type");
@@ -36904,22 +36934,18 @@ async function getResponseData(response) {
   if (!contentType || /^text\/|charset=utf-8$/.test(contentType)) {
     return response.text();
   }
-  return getBufferResponse(response);
+  return response.arrayBuffer();
 }
 function toErrorMessage(data) {
-  if (typeof data === "string")
+  if (typeof data === "string") {
     return data;
-  let suffix;
-  if ("documentation_url" in data) {
-    suffix = ` - ${data.documentation_url}`;
-  } else {
-    suffix = "";
+  }
+  if (data instanceof ArrayBuffer) {
+    return "Unknown error";
   }
   if ("message" in data) {
-    if (Array.isArray(data.errors)) {
-      return `${data.message}: ${data.errors.map(JSON.stringify).join(", ")}${suffix}`;
-    }
-    return `${data.message}${suffix}`;
+    const suffix = "documentation_url" in data ? ` - ${data.documentation_url}` : "";
+    return Array.isArray(data.errors) ? `${data.message}: ${data.errors.map((v) => JSON.stringify(v)).join(", ")}${suffix}` : `${data.message}${suffix}`;
   }
   return `Unknown error: ${JSON.stringify(data)}`;
 }
@@ -36946,11 +36972,7 @@ function withDefaults2(oldEndpoint, newDefaults) {
     defaults: withDefaults2.bind(null, endpoint2)
   });
 }
-var request = withDefaults2(endpoint, {
-  headers: {
-    "user-agent": `octokit-request.js/${VERSION2} ${getUserAgent()}`
-  }
-});
+var request = withDefaults2(endpoint, defaults_default);
 
 // lib/request.js
 var import_undici = __toESM(require_undici2(), 1);

lib/main.js

@@ -5,7 +5,7 @@ import pRetry from "p-retry";
  * @param {string} appId
  * @param {string} privateKey
  * @param {string} owner
- * @param {string} repositories
+ * @param {string[]} repositories
  * @param {import("@actions/core")} core
  * @param {import("@octokit/auth-app").createAppAuth} createAppAuth
  * @param {import("@octokit/request").request} request
@@ -22,21 +22,23 @@ export async function main(
   skipTokenRevoke
 ) {
   let parsedOwner = "";
-  let parsedRepositoryNames = "";
+  let parsedRepositoryNames = [];
 
   // If neither owner nor repositories are set, default to current repository
-  if (!owner && !repositories) {
-    [parsedOwner, parsedRepositoryNames] = String(
+  if (!owner && repositories.length === 0) {
+    const [owner, repo] = String(
       process.env.GITHUB_REPOSITORY
     ).split("/");
+    parsedOwner = owner;
+    parsedRepositoryNames = [repo];
 
     core.info(
-      `owner and repositories not set, creating token for the current repository ("${parsedRepositoryNames}")`
+      `owner and repositories not set, creating token for the current repository ("${repo}")`
     );
   }
 
   // If only an owner is set, default to all repositories from that owner
-  if (owner && !repositories) {
+  if (owner && repositories.length === 0) {
     parsedOwner = owner;
 
     core.info(
@@ -45,22 +47,22 @@ export async function main(
   }
 
   // If repositories are set, but no owner, default to `GITHUB_REPOSITORY_OWNER`
-  if (!owner && repositories) {
+  if (!owner && repositories.length > 0) {
     parsedOwner = String(process.env.GITHUB_REPOSITORY_OWNER);
     parsedRepositoryNames = repositories;
 
     core.info(
-      `owner not set, creating owner for given repositories "${repositories}" in current owner ("${parsedOwner}")`
+      `owner not set, creating owner for given repositories "${repositories.join(',')}" in current owner ("${parsedOwner}")`
     );
   }
 
   // If both owner and repositories are set, use those values
-  if (owner && repositories) {
+  if (owner && repositories.length > 0) {
     parsedOwner = owner;
     parsedRepositoryNames = repositories;
 
     core.info(
-      `owner and repositories set, creating token for repositories "${repositories}" owned by "${owner}"`
+      `owner and repositories set, creating token for repositories "${repositories.join(',')}" owned by "${owner}"`
     );
   }
 
@@ -73,11 +75,11 @@ export async function main(
   let authentication, installationId, appSlug;
   // If at least one repository is set, get installation ID from that repository
 
-  if (parsedRepositoryNames) {
+  if (parsedRepositoryNames.length > 0) {
     ({ authentication, installationId, appSlug } = await pRetry(() => getTokenFromRepository(request, auth, parsedOwner, parsedRepositoryNames), {
       onFailedAttempt: (error) => {
         core.info(
-          `Failed to create token for "${parsedRepositoryNames}" (attempt ${error.attemptNumber}): ${error.message}`
+          `Failed to create token for "${parsedRepositoryNames.join(',')}" (attempt ${error.attemptNumber}): ${error.message}`
         );
       },
       retries: 3,
@@ -144,7 +146,7 @@ async function getTokenFromRepository(request, auth, parsedOwner, parsedReposito
   // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
   const response = await request("GET /repos/{owner}/{repo}/installation", {
     owner: parsedOwner,
-    repo: parsedRepositoryNames.split(",")[0],
+    repo: parsedRepositoryNames[0],
     request: {
       hook: auth.hook,
     },
@@ -154,11 +156,11 @@ async function getTokenFromRepository(request, auth, parsedOwner, parsedReposito
   const authentication = await auth({
     type: "installation",
     installationId: response.data.id,
-    repositoryNames: parsedRepositoryNames.split(","),
+    repositoryNames: parsedRepositoryNames,
   });
 
   const installationId = response.data.id;
   const appSlug = response.data['app_slug'];
 
   return { authentication, installationId, appSlug };
- }
+}

main.js

@@ -25,7 +25,10 @@ if (!privateKey) {
   throw new Error("Input required and not supplied: private-key");
 }
 const owner = core.getInput("owner");
-const repositories = core.getInput("repositories");
+const repositories = core.getInput("repositories")
+  .split(/[\n,]+/)
+  .map(s => s.trim())
+  .filter(x => x !== '');
 
 const skipTokenRevoke = Boolean(
   core.getInput("skip-token-revoke") || core.getInput("skip_token_revoke")

package.json

@@ -2,10 +2,10 @@
   "name": "create-github-app-token",
   "private": true,
   "type": "module",
-  "version": "1.10.3",
+  "version": "1.11.0",
   "description": "GitHub Action for creating a GitHub App Installation Access Token",
   "scripts": {
-    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0",
+    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0 --packages=bundle",
     "test": "c8 --100 ava tests/index.js",
     "coverage": "c8 report --reporter html",
     "postcoverage": "open-cli coverage/index.html"
@@ -13,20 +13,20 @@
   "license": "MIT",
   "dependencies": {
     "@actions/core": "^1.10.1",
-    "@octokit/auth-app": "^7.1.0",
-    "@octokit/request": "^9.0.1",
+    "@octokit/auth-app": "^7.1.1",
+    "@octokit/request": "^9.1.3",
     "p-retry": "^6.2.0",
-    "undici": "^6.19.2"
+    "undici": "^6.19.8"
   },
   "devDependencies": {
-    "@sinonjs/fake-timers": "^11.2.2",
+    "@sinonjs/fake-timers": "^13.0.1",
     "ava": "^6.1.3",
-    "c8": "^9.1.0",
+    "c8": "^10.1.2",
     "dotenv": "^16.4.5",
-    "esbuild": "^0.21.4",
-    "execa": "^9.1.0",
+    "esbuild": "^0.23.1",
+    "execa": "^9.3.1",
     "open-cli": "^8.0.0",
-    "yaml": "^2.4.2"
+    "yaml": "^2.5.1"
   },
   "release": {
     "branches": [

tests/index.js

@@ -1,11 +1,21 @@
 import { readdirSync } from "node:fs";
 
-import { execa } from "execa";
 import test from "ava";
+import { execa } from "execa";
 
-const tests = readdirSync("tests").filter((file) => file.endsWith(".test.js"));
+// Get all files in tests directory
+const files = readdirSync("tests");
 
-for (const file of tests) {
+// Files to ignore
+const ignore = ["index.js", "main.js", "README.md", "snapshots"];
+
+const testFiles = files.filter((file) => !ignore.includes(file));
+
+// Throw an error if there is a file that does not end with test.js in the tests directory
+for (const file of testFiles) {
+  if (!file.endsWith(".test.js")) {
+    throw new Error(`File ${file} does not end with .test.js`);
+  }
   test(file, async (t) => {
     // Override Actions environment variables that change `core`’s behavior
     const env = {

tests/main-custom-github-api-url.test.js

@@ -1,10 +1,11 @@
-import { test, DEFAULT_ENV } from "./main.js";
+import { DEFAULT_ENV, test } from "./main.js";
 
 // Verify that main works with a custom GitHub API URL passed as `github-api-url` input
 await test(
   () => {
     process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
-    process.env.INPUT_REPOSITORIES = process.env.GITHUB_REPOSITORY;
+    const currentRepoName = process.env.GITHUB_REPOSITORY.split("/")[1];
+    process.env.INPUT_REPOSITORIES = currentRepoName;
   },
   {
     ...DEFAULT_ENV,

tests/main-private-key-with-escaped-newlines.js

@@ -1,6 +0,0 @@
-import { test, DEFAULT_ENV } from "./main.js";
-
-// Verify `main` works correctly when `private-key` input has escaped newlines
-await test(() => {
-  process.env['INPUT_PRIVATE-KEY'] = DEFAULT_ENV.PRIVATE_KEY.replace(/\n/g, '\\n')
-});

tests/main-private-key-with-escaped-newlines.test.js

@@ -0,0 +1,9 @@
+import { DEFAULT_ENV, test } from "./main.js";
+
+// Verify `main` works correctly when `private-key` input has escaped newlines
+await test(() => {
+  process.env["INPUT_PRIVATE-KEY"] = DEFAULT_ENV["INPUT_PRIVATE-KEY"].replace(
+    /\n/g,
+    "\\n"
+  );
+});

tests/main-token-get-owner-set-repo-set-to-many-newline.test.js

@@ -0,0 +1,9 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` and `repositories` inputs are set (and the latter is a list of repos).
+await test(() => {
+  process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
+  const currentRepoName = process.env.GITHUB_REPOSITORY.split("/")[1];
+  // Intentional unnecessary whitespace to test parsing to array
+  process.env.INPUT_REPOSITORIES = `\n ${currentRepoName}\ntoolkit \n\n checkout \n`;
+});

tests/main-token-get-owner-set-repo-set-to-many.test.js

@@ -3,5 +3,7 @@ import { test } from "./main.js";
 // Verify `main` successfully obtains a token when the `owner` and `repositories` inputs are set (and the latter is a list of repos).
 await test(() => {
   process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
-  process.env.INPUT_REPOSITORIES = `${process.env.GITHUB_REPOSITORY},actions/toolkit`;
+  const currentRepoName = process.env.GITHUB_REPOSITORY.split("/")[1];
+  // Intentional unnecessary whitespace to test parsing to array
+  process.env.INPUT_REPOSITORIES = ` ${currentRepoName}, toolkit  ,checkout`;
 });

tests/main-token-get-owner-set-repo-set-to-one.test.js

@@ -3,5 +3,6 @@ import { test } from "./main.js";
 // Verify `main` successfully obtains a token when the `owner` and `repositories` inputs are set (and the latter is a single repo).
 await test(() => {
   process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
-  process.env.INPUT_REPOSITORIES = process.env.GITHUB_REPOSITORY;
+  const currentRepoName = process.env.GITHUB_REPOSITORY.split("/")[1];
+  process.env.INPUT_REPOSITORIES = currentRepoName;
 });

tests/main-token-get-owner-unset-repo-set.test.js

@@ -3,5 +3,6 @@ import { test } from "./main.js";
 // Verify `main` successfully obtains a token when the `owner` input is not set, but the `repositories` input is set.
 await test(() => {
   delete process.env.INPUT_OWNER;
-  process.env.INPUT_REPOSITORIES = process.env.GITHUB_REPOSITORY;
+  const currentRepoName = process.env.GITHUB_REPOSITORY.split("/")[1];
+  process.env.INPUT_REPOSITORIES = currentRepoName;
 });

tests/main.js

@@ -46,7 +46,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
 
   // Set up mocking
   const baseUrl = new URL(env["INPUT_GITHUB-API-URL"]);
-  const basePath = baseUrl.pathname === '/' ? '' : baseUrl.pathname;
+  const basePath = baseUrl.pathname === "/" ? "" : baseUrl.pathname;
   const mockAgent = new MockAgent();
   mockAgent.disableNetConnect();
   setGlobalDispatcher(mockAgent);
@@ -58,8 +58,9 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
   const mockInstallationId = "123456";
   const mockAppSlug = "github-actions";
   const owner = env.INPUT_OWNER ?? env.GITHUB_REPOSITORY_OWNER;
+  const currentRepoName = env.GITHUB_REPOSITORY.split("/")[1];
   const repo = encodeURIComponent(
-    (env.INPUT_REPOSITORIES ?? env.GITHUB_REPOSITORY).split(",")[0]
+    (env.INPUT_REPOSITORIES ?? currentRepoName).split(",")[0]
   );
   mockPool
     .intercept({
@@ -73,7 +74,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
     })
     .reply(
       200,
-      { id: mockInstallationId, "app_slug": mockAppSlug },
+      { id: mockInstallationId, app_slug: mockAppSlug },
       { headers: { "content-type": "application/json" } }
     );
 

tests/snapshots/index.js.md

@@ -24,7 +24,7 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `owner and repositories set, creating token for repositories "actions/create-github-app-token" owned by "actions"␊
+    `owner and repositories set, creating token for repositories "create-github-app-token" owned by "actions"␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
@@ -75,6 +75,45 @@ Generated by [AVA](https://avajs.dev).
 
     ''
 
+## main-private-key-with-escaped-newlines.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `owner and repositories not set, creating token for the current repository ("create-github-app-token")␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
+
+## main-repo-skew.test.js
+
+> stderr
+
+    `'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued.␊
+    [@octokit/auth-app] GitHub API time and system time are different by 30 seconds. Retrying request with the difference accounted for.`
+
+> stdout
+
+    `owner and repositories set, creating token for repositories "failed-repo" owned by "actions"␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
+
 ## main-token-get-owner-set-repo-fail-response.test.js
 
 > stderr
@@ -95,6 +134,25 @@ Generated by [AVA](https://avajs.dev).
     ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
+## main-token-get-owner-set-repo-set-to-many-newline.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `owner and repositories set, creating token for repositories "create-github-app-token,toolkit,checkout" owned by "actions"␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
+
 ## main-token-get-owner-set-repo-set-to-many.test.js
 
 > stderr
@@ -103,7 +161,7 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `owner and repositories set, creating token for repositories "actions/create-github-app-token,actions/toolkit" owned by "actions"␊
+    `owner and repositories set, creating token for repositories "create-github-app-token,toolkit,checkout" owned by "actions"␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
@@ -122,7 +180,7 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `owner and repositories set, creating token for repositories "actions/create-github-app-token" owned by "actions"␊
+    `owner and repositories set, creating token for repositories "create-github-app-token" owned by "actions"␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
@@ -199,7 +257,7 @@ Generated by [AVA](https://avajs.dev).
 
 > stdout
 
-    `owner not set, creating owner for given repositories "actions/create-github-app-token" in current owner ("actions")␊
+    `owner not set, creating owner for given repositories "create-github-app-token" in current owner ("actions")␊
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊