build(release): 1.6.1 [skip ci]

## [1.6.1](https://github.com/actions/create-github-app-token/compare/v1.6.0...v1.6.1) (2023-12-01)

### Bug Fixes

* **deps:** bump dependencies([#84](https://github.com/actions/create-github-app-token/issues/84)) ([474769d](https://github.com/actions/create-github-app-token/commit/474769db88900a253a1c4aa9b4398d8a90c4cdab)), closes [#651](https://github.com/actions/create-github-app-token/issues/651) [#648](https://github.com/actions/create-github-app-token/issues/648) [#649](https://github.com/actions/create-github-app-token/issues/649) [#651](https://github.com/actions/create-github-app-token/issues/651) [#648](https://github.com/actions/create-github-app-token/issues/648) [#646](https://github.com/actions/create-github-app-token/issues/646)

.github/workflows/release.yml

@@ -1,5 +1,6 @@
 name: release
-"on":
+
+on:
   push:
     branches:
       - main
@@ -14,16 +15,25 @@ jobs:
     name: release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
-        id: app-token
-        with:
-          app_id: ${{ vars.RELEASER_APP_ID }}
-          private_key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }}
+      # build local version to create token
       - uses: actions/checkout@v4
         with:
-          token: ${{ steps.app-token.outputs.token }}
-      - run: npm install --no-save @semantic-release/git semantic-release-plugin-github-breaking-version-tag
+          persist-credentials: false
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: .node-version
+          cache: 'npm'
+
+      - run: npm ci
       - run: npm run build
+      - uses: ./
+        id: app-token
+        with:
+          app-id: ${{ vars.RELEASER_APP_ID }}
+          private-key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }}
+      # install release dependencies and release
+      - run: npm install --no-save @semantic-release/git semantic-release-plugin-github-breaking-version-tag
       - run: npx semantic-release --debug
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/test.yml

@@ -1,4 +1,5 @@
 name: test
+
 on:
   push:
     branches:
@@ -15,10 +16,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+
+      - uses: actions/setup-node@v4
         with:
-          node-version: 20
-          cache: "npm"
+          node-version-file: .node-version
+          cache: 'npm'
+
       - run: npm ci
       - run: npm test
 
@@ -29,7 +32,7 @@ jobs:
     if: github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 20
           cache: "npm"
@@ -38,8 +41,8 @@ jobs:
       - uses: ./ # Uses the action in the root directory
         id: test
         with:
-          app_id: ${{ vars.TEST_APP_ID }}
-          private_key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
+          app-id: ${{ vars.TEST_APP_ID }}
+          private-key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
       - uses: octokit/request-action@v2.x
         id: get-repository
         env:

.gitignore

@@ -1,2 +1,3 @@
-node_modules/
 .env
+coverage
+node_modules/

.node-version

@@ -0,0 +1 @@
+20.9.0

README.md

@@ -1,5 +1,7 @@
 # Create GitHub App Token
 
+[![test](https://github.com/actions/create-github-app-token/actions/workflows/test.yml/badge.svg)](https://github.com/actions/create-github-app-token/actions/workflows/test.yml)
+
 GitHub Action for creating a GitHub App installation access token.
 
 ## Usage
@@ -22,8 +24,8 @@ jobs:
       - uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app_id: ${{ vars.APP_ID }}
-          private_key: ${{ secrets.PRIVATE_KEY }}
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
       - uses: peter-evans/create-or-update-comment@v3
         with:
           token: ${{ steps.app-token.outputs.token }}
@@ -44,9 +46,9 @@ jobs:
         id: app-token
         with:
           # required
-          app_id: ${{ vars.APP_ID }}
-          private_key: ${{ secrets.PRIVATE_KEY }}
-      - uses: actions/checkout@v3
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+      - uses: actions/checkout@v4
         with:
           token: ${{ steps.app-token.outputs.token }}
           ref: ${{ github.head_ref }}
@@ -69,8 +71,8 @@ jobs:
       - uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app_id: ${{ vars.APP_ID }}
-          private_key: ${{ secrets.PRIVATE_KEY }}
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
       - uses: peter-evans/create-or-update-comment@v3
         with:
@@ -91,8 +93,8 @@ jobs:
       - uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app_id: ${{ vars.APP_ID }}
-          private_key: ${{ secrets.PRIVATE_KEY }}
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           repositories: "repo1,repo2"
       - uses: peter-evans/create-or-update-comment@v3
@@ -114,8 +116,8 @@ jobs:
       - uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app_id: ${{ vars.APP_ID }}
-          private_key: ${{ secrets.PRIVATE_KEY }}
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
           owner: another-owner
       - uses: peter-evans/create-or-update-comment@v3
         with:
@@ -124,13 +126,59 @@ jobs:
           body: "Hello, World!"
 ```
 
+### Create tokens for multiple user or organization accounts
+
+You can use a matrix strategy to create tokens for multiple user or organization accounts.
+
+> [!NOTE]
+> See [this documentation](https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings) for information on using multiline strings in workflows.
+
+```yaml
+on: [workflow_dispatch]
+
+jobs:
+  set-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{steps.set.outputs.matrix }}
+    steps:
+      - id: set
+        run: echo 'matrix=[{"owner":"owner1"},{"owner":"owner2","repos":["repo1"]}]' >>"$GITHUB_OUTPUT"
+
+  use-matrix:
+    name: '@${{ matrix.owners-and-repos.owner }} installation'
+    needs: [set-matrix]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        owners-and-repos: ${{ fromJson(needs.set-matrix.outputs.matrix) }}
+
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+          owner: ${{ matrix.owners-and-repos.owner }}
+          repositories: ${{ join(matrix.owners-and-repos.repos) }}
+      - uses: octokit/request-action@v2.x
+        id: get-installation-repositories
+        with:
+          route: GET /installation/repositories
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+      - run: echo "$MULTILINE_JSON_STRING"
+        env:
+          MULTILINE_JSON_STRING: ${{ steps.get-installation-repositories.outputs.data }}
+```
+
 ## Inputs
 
-### `app_id`
+### `app-id`
 
 **Required:** GitHub App ID.
 
-### `private_key`
+### `private-key`
 
 **Required:** GitHub App private key.
 
@@ -145,7 +193,7 @@ jobs:
 > [!NOTE]
 > If `owner` is set and `repositories` is empty, access will be scoped to all repositories in the provided repository owner's installation. If `owner` and `repositories` are empty, access will be scoped to only the current repository.
 
-### `skip_token_revoke`
+### `skip-token-revoke`
 
 **Optional:** If truthy, the token will not be revoked when the current job is complete.
 
@@ -162,7 +210,7 @@ The action creates an installation access token using [the `POST /app/installati
 1. The token is scoped to the current repository or `repositories` if set.
 2. The token inherits all the installation's permissions.
 3. The token is set as output `token` which can be used in subsequent steps.
-4. Unless the `skip_token_revoke` input is set to a truthy value, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
+4. Unless the `skip-token-revoke` input is set to a truthy value, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
 5. The token is masked, it cannot be logged accidentally.
 
 > [!NOTE]

action.yml

@@ -5,21 +5,33 @@ branding:
   icon: "lock"
   color: "gray-dark"
 inputs:
+  app-id:
+    description: "GitHub App ID"
+    required: false # TODO: When 'app_id' is removed, make 'app-id' required
   app_id:
     description: "GitHub App ID"
-    required: true
+    required: false
+    deprecationMessage: "'app_id' is deprecated and will be removed in a future version. Use 'app-id' instead."
+  private-key:
+    description: "GitHub App private key"
+    required: false # TODO: When 'private_key' is removed, make 'private-key' required
   private_key:
     description: "GitHub App private key"
-    required: true
+    required: false
+    deprecationMessage: "'private_key' is deprecated and will be removed in a future version. Use 'private-key' instead."
   owner:
     description: "GitHub App owner (defaults to current repository owner)"
     required: false
   repositories:
     description: "Repositories to install the GitHub App on (defaults to current repository if owner is unset)"
     required: false
+  skip-token-revoke:
+    description: "If truthy, the token will not be revoked when the current job is complete"
+    required: false
   skip_token_revoke:
     description: "If truthy, the token will not be revoked when the current job is complete"
     required: false
+    deprecationMessage: "'skip_token_revoke' is deprecated and will be removed in a future version. Use 'skip-token-revoke' instead."
 outputs:
   token:
     description: "GitHub installation access token"

badges/coverage.svg

@@ -0,0 +1,25 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="106"
+    height="20" role="img" aria-label="Coverage: 100%">
+    <title>Coverage: 100%</title>
+    <linearGradient id="s" x2="0" y2="100%">
+        <stop offset="0" stop-color="#bbb" stop-opacity=".1" />
+        <stop offset="1" stop-opacity=".1" />
+    </linearGradient>
+    <clipPath id="r">
+        <rect width="106" height="20" rx="3" fill="#fff" />
+    </clipPath>
+    <g clip-path="url(#r)">
+        <rect width="63" height="20" fill="#555" />
+        <rect x="63" width="43" height="20" fill="#4c1" />
+        <rect width="106" height="20" fill="url(#s)" />
+    </g>
+    <g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif"
+        text-rendering="geometricPrecision" font-size="110">
+        <text aria-hidden="true" x="325" y="150" fill="#010101" fill-opacity=".3"
+            transform="scale(.1)" textLength="530">Coverage</text>
+        <text x="325" y="140" transform="scale(.1)" fill="#fff" textLength="530">Coverage</text>
+        <text aria-hidden="true" x="835" y="150" fill="#010101" fill-opacity=".3"
+            transform="scale(.1)" textLength="330">100%</text>
+        <text x="835" y="140" transform="scale(.1)" fill="#fff" textLength="330">100%</text>
+    </g>
+</svg>

dist/main.cjs

@@ -2811,8 +2811,18 @@ var require_dist_node5 = __commonJS({
     module2.exports = __toCommonJS2(dist_src_exports);
     var import_endpoint = require_dist_node2();
     var import_universal_user_agent = require_dist_node();
-    var VERSION = "8.1.2";
-    var import_is_plain_object = require_is_plain_object();
+    var VERSION = "8.1.6";
+    function isPlainObject(value) {
+      if (typeof value !== "object" || value === null)
+        return false;
+      if (Object.prototype.toString.call(value) !== "[object Object]")
+        return false;
+      const proto = Object.getPrototypeOf(value);
+      if (proto === null)
+        return true;
+      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
+      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
+    }
     var import_request_error = require_dist_node4();
     function getBufferResponse(response) {
       return response.arrayBuffer();
@@ -2821,7 +2831,7 @@ var require_dist_node5 = __commonJS({
       var _a, _b, _c;
       const log = requestOptions.request && requestOptions.request.log ? requestOptions.request.log : console;
       const parseSuccessResponseBody = ((_a = requestOptions.request) == null ? void 0 : _a.parseSuccessResponseBody) !== false;
-      if ((0, import_is_plain_object.isPlainObject)(requestOptions.body) || Array.isArray(requestOptions.body)) {
+      if (isPlainObject(requestOptions.body) || Array.isArray(requestOptions.body)) {
         requestOptions.body = JSON.stringify(requestOptions.body);
       }
       let headers = {};
@@ -2911,7 +2921,15 @@ var require_dist_node5 = __commonJS({
           throw error;
         else if (error.name === "AbortError")
           throw error;
-        throw new import_request_error.RequestError(error.message, 500, {
+        let message = error.message;
+        if (error.name === "TypeError" && "cause" in error) {
+          if (error.cause instanceof Error) {
+            message = error.cause.message;
+          } else if (typeof error.cause === "string") {
+            message = error.cause;
+          }
+        }
+        throw new import_request_error.RequestError(message, 500, {
           request: requestOptions
         });
       });
@@ -2919,7 +2937,7 @@ var require_dist_node5 = __commonJS({
     async function getResponseData(response) {
       const contentType = response.headers.get("content-type");
       if (/application\/json/.test(contentType)) {
-        return response.json();
+        return response.json().catch(() => response.text()).catch(() => "");
       }
       if (!contentType || /^text\/|charset=utf-8$/.test(contentType)) {
         return response.text();
@@ -7656,7 +7674,7 @@ var require_lodash = __commonJS({
     }
     var objectProto = Object.prototype;
     var hasOwnProperty = objectProto.hasOwnProperty;
-    var objectToString = objectProto.toString;
+    var objectToString2 = objectProto.toString;
     var propertyIsEnumerable = objectProto.propertyIsEnumerable;
     var nativeKeys = overArg(Object.keys, Object);
     var nativeMax = Math.max;
@@ -7700,7 +7718,7 @@ var require_lodash = __commonJS({
       return isString(collection) ? fromIndex <= length && collection.indexOf(value, fromIndex) > -1 : !!length && baseIndexOf(collection, value, fromIndex) > -1;
     }
     function isArguments(value) {
-      return isArrayLikeObject(value) && hasOwnProperty.call(value, "callee") && (!propertyIsEnumerable.call(value, "callee") || objectToString.call(value) == argsTag);
+      return isArrayLikeObject(value) && hasOwnProperty.call(value, "callee") && (!propertyIsEnumerable.call(value, "callee") || objectToString2.call(value) == argsTag);
     }
     var isArray = Array.isArray;
     function isArrayLike(value) {
@@ -7710,7 +7728,7 @@ var require_lodash = __commonJS({
       return isObjectLike(value) && isArrayLike(value);
     }
     function isFunction(value) {
-      var tag = isObject(value) ? objectToString.call(value) : "";
+      var tag = isObject(value) ? objectToString2.call(value) : "";
       return tag == funcTag || tag == genTag;
     }
     function isLength(value) {
@@ -7724,10 +7742,10 @@ var require_lodash = __commonJS({
       return !!value && typeof value == "object";
     }
     function isString(value) {
-      return typeof value == "string" || !isArray(value) && isObjectLike(value) && objectToString.call(value) == stringTag;
+      return typeof value == "string" || !isArray(value) && isObjectLike(value) && objectToString2.call(value) == stringTag;
     }
     function isSymbol(value) {
-      return typeof value == "symbol" || isObjectLike(value) && objectToString.call(value) == symbolTag;
+      return typeof value == "symbol" || isObjectLike(value) && objectToString2.call(value) == symbolTag;
     }
     function toFinite(value) {
       if (!value) {
@@ -7777,9 +7795,9 @@ var require_lodash2 = __commonJS({
   "node_modules/lodash.isboolean/index.js"(exports, module2) {
     var boolTag = "[object Boolean]";
     var objectProto = Object.prototype;
-    var objectToString = objectProto.toString;
+    var objectToString2 = objectProto.toString;
     function isBoolean(value) {
-      return value === true || value === false || isObjectLike(value) && objectToString.call(value) == boolTag;
+      return value === true || value === false || isObjectLike(value) && objectToString2.call(value) == boolTag;
     }
     function isObjectLike(value) {
       return !!value && typeof value == "object";
@@ -7801,7 +7819,7 @@ var require_lodash3 = __commonJS({
     var reIsOctal = /^0o[0-7]+$/i;
     var freeParseInt = parseInt;
     var objectProto = Object.prototype;
-    var objectToString = objectProto.toString;
+    var objectToString2 = objectProto.toString;
     function isInteger(value) {
       return typeof value == "number" && value == toInteger(value);
     }
@@ -7813,7 +7831,7 @@ var require_lodash3 = __commonJS({
       return !!value && typeof value == "object";
     }
     function isSymbol(value) {
-      return typeof value == "symbol" || isObjectLike(value) && objectToString.call(value) == symbolTag;
+      return typeof value == "symbol" || isObjectLike(value) && objectToString2.call(value) == symbolTag;
     }
     function toFinite(value) {
       if (!value) {
@@ -7857,12 +7875,12 @@ var require_lodash4 = __commonJS({
   "node_modules/lodash.isnumber/index.js"(exports, module2) {
     var numberTag = "[object Number]";
     var objectProto = Object.prototype;
-    var objectToString = objectProto.toString;
+    var objectToString2 = objectProto.toString;
     function isObjectLike(value) {
       return !!value && typeof value == "object";
     }
     function isNumber(value) {
-      return typeof value == "number" || isObjectLike(value) && objectToString.call(value) == numberTag;
+      return typeof value == "number" || isObjectLike(value) && objectToString2.call(value) == numberTag;
     }
     module2.exports = isNumber;
   }
@@ -7892,13 +7910,13 @@ var require_lodash5 = __commonJS({
     var funcToString = funcProto.toString;
     var hasOwnProperty = objectProto.hasOwnProperty;
     var objectCtorString = funcToString.call(Object);
-    var objectToString = objectProto.toString;
+    var objectToString2 = objectProto.toString;
     var getPrototype = overArg(Object.getPrototypeOf, Object);
     function isObjectLike(value) {
       return !!value && typeof value == "object";
     }
     function isPlainObject(value) {
-      if (!isObjectLike(value) || objectToString.call(value) != objectTag || isHostObject(value)) {
+      if (!isObjectLike(value) || objectToString2.call(value) != objectTag || isHostObject(value)) {
         return false;
       }
       var proto = getPrototype(value);
@@ -7917,13 +7935,13 @@ var require_lodash6 = __commonJS({
   "node_modules/lodash.isstring/index.js"(exports, module2) {
     var stringTag = "[object String]";
     var objectProto = Object.prototype;
-    var objectToString = objectProto.toString;
+    var objectToString2 = objectProto.toString;
     var isArray = Array.isArray;
     function isObjectLike(value) {
       return !!value && typeof value == "object";
     }
     function isString(value) {
-      return typeof value == "string" || !isArray(value) && isObjectLike(value) && objectToString.call(value) == stringTag;
+      return typeof value == "string" || !isArray(value) && isObjectLike(value) && objectToString2.call(value) == stringTag;
     }
     module2.exports = isString;
   }
@@ -7943,7 +7961,7 @@ var require_lodash7 = __commonJS({
     var reIsOctal = /^0o[0-7]+$/i;
     var freeParseInt = parseInt;
     var objectProto = Object.prototype;
-    var objectToString = objectProto.toString;
+    var objectToString2 = objectProto.toString;
     function before(n, func) {
       var result;
       if (typeof func != "function") {
@@ -7971,7 +7989,7 @@ var require_lodash7 = __commonJS({
       return !!value && typeof value == "object";
     }
     function isSymbol(value) {
-      return typeof value == "symbol" || isObjectLike(value) && objectToString.call(value) == symbolTag;
+      return typeof value == "symbol" || isObjectLike(value) && objectToString2.call(value) == symbolTag;
     }
     function toFinite(value) {
       if (!value) {
@@ -10001,10 +10019,340 @@ var require_dist_node12 = __commonJS({
   }
 });
 
+// node_modules/retry/lib/retry_operation.js
+var require_retry_operation = __commonJS({
+  "node_modules/retry/lib/retry_operation.js"(exports, module2) {
+    function RetryOperation(timeouts, options) {
+      if (typeof options === "boolean") {
+        options = { forever: options };
+      }
+      this._originalTimeouts = JSON.parse(JSON.stringify(timeouts));
+      this._timeouts = timeouts;
+      this._options = options || {};
+      this._maxRetryTime = options && options.maxRetryTime || Infinity;
+      this._fn = null;
+      this._errors = [];
+      this._attempts = 1;
+      this._operationTimeout = null;
+      this._operationTimeoutCb = null;
+      this._timeout = null;
+      this._operationStart = null;
+      this._timer = null;
+      if (this._options.forever) {
+        this._cachedTimeouts = this._timeouts.slice(0);
+      }
+    }
+    module2.exports = RetryOperation;
+    RetryOperation.prototype.reset = function() {
+      this._attempts = 1;
+      this._timeouts = this._originalTimeouts.slice(0);
+    };
+    RetryOperation.prototype.stop = function() {
+      if (this._timeout) {
+        clearTimeout(this._timeout);
+      }
+      if (this._timer) {
+        clearTimeout(this._timer);
+      }
+      this._timeouts = [];
+      this._cachedTimeouts = null;
+    };
+    RetryOperation.prototype.retry = function(err) {
+      if (this._timeout) {
+        clearTimeout(this._timeout);
+      }
+      if (!err) {
+        return false;
+      }
+      var currentTime = (/* @__PURE__ */ new Date()).getTime();
+      if (err && currentTime - this._operationStart >= this._maxRetryTime) {
+        this._errors.push(err);
+        this._errors.unshift(new Error("RetryOperation timeout occurred"));
+        return false;
+      }
+      this._errors.push(err);
+      var timeout = this._timeouts.shift();
+      if (timeout === void 0) {
+        if (this._cachedTimeouts) {
+          this._errors.splice(0, this._errors.length - 1);
+          timeout = this._cachedTimeouts.slice(-1);
+        } else {
+          return false;
+        }
+      }
+      var self = this;
+      this._timer = setTimeout(function() {
+        self._attempts++;
+        if (self._operationTimeoutCb) {
+          self._timeout = setTimeout(function() {
+            self._operationTimeoutCb(self._attempts);
+          }, self._operationTimeout);
+          if (self._options.unref) {
+            self._timeout.unref();
+          }
+        }
+        self._fn(self._attempts);
+      }, timeout);
+      if (this._options.unref) {
+        this._timer.unref();
+      }
+      return true;
+    };
+    RetryOperation.prototype.attempt = function(fn, timeoutOps) {
+      this._fn = fn;
+      if (timeoutOps) {
+        if (timeoutOps.timeout) {
+          this._operationTimeout = timeoutOps.timeout;
+        }
+        if (timeoutOps.cb) {
+          this._operationTimeoutCb = timeoutOps.cb;
+        }
+      }
+      var self = this;
+      if (this._operationTimeoutCb) {
+        this._timeout = setTimeout(function() {
+          self._operationTimeoutCb();
+        }, self._operationTimeout);
+      }
+      this._operationStart = (/* @__PURE__ */ new Date()).getTime();
+      this._fn(this._attempts);
+    };
+    RetryOperation.prototype.try = function(fn) {
+      console.log("Using RetryOperation.try() is deprecated");
+      this.attempt(fn);
+    };
+    RetryOperation.prototype.start = function(fn) {
+      console.log("Using RetryOperation.start() is deprecated");
+      this.attempt(fn);
+    };
+    RetryOperation.prototype.start = RetryOperation.prototype.try;
+    RetryOperation.prototype.errors = function() {
+      return this._errors;
+    };
+    RetryOperation.prototype.attempts = function() {
+      return this._attempts;
+    };
+    RetryOperation.prototype.mainError = function() {
+      if (this._errors.length === 0) {
+        return null;
+      }
+      var counts = {};
+      var mainError = null;
+      var mainErrorCount = 0;
+      for (var i = 0; i < this._errors.length; i++) {
+        var error = this._errors[i];
+        var message = error.message;
+        var count = (counts[message] || 0) + 1;
+        counts[message] = count;
+        if (count >= mainErrorCount) {
+          mainError = error;
+          mainErrorCount = count;
+        }
+      }
+      return mainError;
+    };
+  }
+});
+
+// node_modules/retry/lib/retry.js
+var require_retry = __commonJS({
+  "node_modules/retry/lib/retry.js"(exports) {
+    var RetryOperation = require_retry_operation();
+    exports.operation = function(options) {
+      var timeouts = exports.timeouts(options);
+      return new RetryOperation(timeouts, {
+        forever: options && (options.forever || options.retries === Infinity),
+        unref: options && options.unref,
+        maxRetryTime: options && options.maxRetryTime
+      });
+    };
+    exports.timeouts = function(options) {
+      if (options instanceof Array) {
+        return [].concat(options);
+      }
+      var opts = {
+        retries: 10,
+        factor: 2,
+        minTimeout: 1 * 1e3,
+        maxTimeout: Infinity,
+        randomize: false
+      };
+      for (var key in options) {
+        opts[key] = options[key];
+      }
+      if (opts.minTimeout > opts.maxTimeout) {
+        throw new Error("minTimeout is greater than maxTimeout");
+      }
+      var timeouts = [];
+      for (var i = 0; i < opts.retries; i++) {
+        timeouts.push(this.createTimeout(i, opts));
+      }
+      if (options && options.forever && !timeouts.length) {
+        timeouts.push(this.createTimeout(i, opts));
+      }
+      timeouts.sort(function(a, b) {
+        return a - b;
+      });
+      return timeouts;
+    };
+    exports.createTimeout = function(attempt, opts) {
+      var random = opts.randomize ? Math.random() + 1 : 1;
+      var timeout = Math.round(random * Math.max(opts.minTimeout, 1) * Math.pow(opts.factor, attempt));
+      timeout = Math.min(timeout, opts.maxTimeout);
+      return timeout;
+    };
+    exports.wrap = function(obj, options, methods) {
+      if (options instanceof Array) {
+        methods = options;
+        options = null;
+      }
+      if (!methods) {
+        methods = [];
+        for (var key in obj) {
+          if (typeof obj[key] === "function") {
+            methods.push(key);
+          }
+        }
+      }
+      for (var i = 0; i < methods.length; i++) {
+        var method = methods[i];
+        var original = obj[method];
+        obj[method] = function retryWrapper(original2) {
+          var op = exports.operation(options);
+          var args = Array.prototype.slice.call(arguments, 1);
+          var callback = args.pop();
+          args.push(function(err) {
+            if (op.retry(err)) {
+              return;
+            }
+            if (err) {
+              arguments[0] = op.mainError();
+            }
+            callback.apply(this, arguments);
+          });
+          op.attempt(function() {
+            original2.apply(obj, args);
+          });
+        }.bind(obj, original);
+        obj[method].options = options;
+      }
+    };
+  }
+});
+
+// node_modules/retry/index.js
+var require_retry2 = __commonJS({
+  "node_modules/retry/index.js"(exports, module2) {
+    module2.exports = require_retry();
+  }
+});
+
 // main.js
 var import_core = __toESM(require_core(), 1);
 var import_auth_app = __toESM(require_dist_node12(), 1);
 
+// node_modules/p-retry/index.js
+var import_retry = __toESM(require_retry2(), 1);
+
+// node_modules/is-network-error/index.js
+var objectToString = Object.prototype.toString;
+var isError = (value) => objectToString.call(value) === "[object Error]";
+var errorMessages = /* @__PURE__ */ new Set([
+  "Failed to fetch",
+  // Chrome
+  "NetworkError when attempting to fetch resource.",
+  // Firefox
+  "The Internet connection appears to be offline.",
+  // Safari 16
+  "Load failed",
+  // Safari 17+
+  "Network request failed",
+  // `cross-fetch`
+  "fetch failed"
+  // Undici (Node.js)
+]);
+function isNetworkError(error) {
+  const isValid = error && isError(error) && error.name === "TypeError" && typeof error.message === "string";
+  if (!isValid) {
+    return false;
+  }
+  if (error.message === "Load failed") {
+    return error.stack === void 0;
+  }
+  return errorMessages.has(error.message);
+}
+
+// node_modules/p-retry/index.js
+var AbortError = class extends Error {
+  constructor(message) {
+    super();
+    if (message instanceof Error) {
+      this.originalError = message;
+      ({ message } = message);
+    } else {
+      this.originalError = new Error(message);
+      this.originalError.stack = this.stack;
+    }
+    this.name = "AbortError";
+    this.message = message;
+  }
+};
+var decorateErrorWithCounts = (error, attemptNumber, options) => {
+  const retriesLeft = options.retries - (attemptNumber - 1);
+  error.attemptNumber = attemptNumber;
+  error.retriesLeft = retriesLeft;
+  return error;
+};
+async function pRetry(input, options) {
+  return new Promise((resolve, reject) => {
+    options = {
+      onFailedAttempt() {
+      },
+      retries: 10,
+      ...options
+    };
+    const operation = import_retry.default.operation(options);
+    const abortHandler = () => {
+      operation.stop();
+      reject(options.signal?.reason);
+    };
+    if (options.signal && !options.signal.aborted) {
+      options.signal.addEventListener("abort", abortHandler, { once: true });
+    }
+    const cleanUp = () => {
+      options.signal?.removeEventListener("abort", abortHandler);
+      operation.stop();
+    };
+    operation.attempt(async (attemptNumber) => {
+      try {
+        const result = await input(attemptNumber);
+        cleanUp();
+        resolve(result);
+      } catch (error) {
+        try {
+          if (!(error instanceof Error)) {
+            throw new TypeError(`Non-error was thrown: "${error}". You should only throw errors.`);
+          }
+          if (error instanceof AbortError) {
+            throw error.originalError;
+          }
+          if (error instanceof TypeError && !isNetworkError(error)) {
+            throw error;
+          }
+          await options.onFailedAttempt(decorateErrorWithCounts(error, attemptNumber, options));
+          if (!operation.retry(error)) {
+            throw operation.mainError();
+          }
+        } catch (finalError) {
+          decorateErrorWithCounts(finalError, attemptNumber, options);
+          cleanUp();
+          reject(finalError);
+        }
+      }
+    });
+  });
+}
+
 // lib/main.js
 async function main(appId2, privateKey2, owner2, repositories2, core2, createAppAuth2, request2, skipTokenRevoke2) {
   let parsedOwner = "";
@@ -10047,37 +10395,22 @@ async function main(appId2, privateKey2, owner2, repositories2, core2, createApp
   });
   let authentication;
   if (parsedRepositoryNames) {
-    const response = await request2("GET /repos/{owner}/{repo}/installation", {
-      owner: parsedOwner,
-      repo: parsedRepositoryNames.split(",")[0],
-      headers: {
-        authorization: `bearer ${appAuthentication.token}`
-      }
-    });
-    authentication = await auth({
-      type: "installation",
-      installationId: response.data.id,
-      repositoryNames: parsedRepositoryNames.split(",")
+    authentication = await pRetry(() => getTokenFromRepository(request2, auth, parsedOwner, appAuthentication, parsedRepositoryNames), {
+      onFailedAttempt: (error) => {
+        core2.info(
+          `Failed to create token for "${parsedRepositoryNames}" (attempt ${error.attemptNumber}): ${error.message}`
+        );
+      },
+      retries: 3
     });
   } else {
-    const response = await request2("GET /orgs/{org}/installation", {
-      org: parsedOwner,
-      headers: {
-        authorization: `bearer ${appAuthentication.token}`
-      }
-    }).catch((error) => {
-      if (error.status !== 404)
-        throw error;
-      return request2("GET /users/{username}/installation", {
-        username: parsedOwner,
-        headers: {
-          authorization: `bearer ${appAuthentication.token}`
-        }
-      });
-    });
-    authentication = await auth({
-      type: "installation",
-      installationId: response.data.id
+    authentication = await pRetry(() => getTokenFromOwner(request2, auth, appAuthentication, parsedOwner), {
+      onFailedAttempt: (error) => {
+        core2.info(
+          `Failed to create token for "${parsedOwner}" (attempt ${error.attemptNumber}): ${error.message}`
+        );
+      },
+      retries: 3
     });
   }
   core2.setSecret(authentication.token);
@@ -10086,6 +10419,43 @@ async function main(appId2, privateKey2, owner2, repositories2, core2, createApp
     core2.saveState("token", authentication.token);
   }
 }
+async function getTokenFromOwner(request2, auth, appAuthentication, parsedOwner) {
+  const response = await request2("GET /orgs/{org}/installation", {
+    org: parsedOwner,
+    headers: {
+      authorization: `bearer ${appAuthentication.token}`
+    }
+  }).catch((error) => {
+    if (error.status !== 404)
+      throw error;
+    return request2("GET /users/{username}/installation", {
+      username: parsedOwner,
+      headers: {
+        authorization: `bearer ${appAuthentication.token}`
+      }
+    });
+  });
+  const authentication = await auth({
+    type: "installation",
+    installationId: response.data.id
+  });
+  return authentication;
+}
+async function getTokenFromRepository(request2, auth, parsedOwner, appAuthentication, parsedRepositoryNames) {
+  const response = await request2("GET /repos/{owner}/{repo}/installation", {
+    owner: parsedOwner,
+    repo: parsedRepositoryNames.split(",")[0],
+    headers: {
+      authorization: `bearer ${appAuthentication.token}`
+    }
+  });
+  const authentication = await auth({
+    type: "installation",
+    installationId: response.data.id,
+    repositoryNames: parsedRepositoryNames.split(",")
+  });
+  return authentication;
+}
 
 // lib/request.js
 var import_request = __toESM(require_dist_node5(), 1);
@@ -10103,11 +10473,19 @@ if (!process.env.GITHUB_REPOSITORY) {
 if (!process.env.GITHUB_REPOSITORY_OWNER) {
   throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
 }
-var appId = import_core.default.getInput("app_id");
-var privateKey = import_core.default.getInput("private_key");
+var appId = import_core.default.getInput("app-id") || import_core.default.getInput("app_id");
+if (!appId) {
+  throw new Error("Input required and not supplied: app-id");
+}
+var privateKey = import_core.default.getInput("private-key") || import_core.default.getInput("private_key");
+if (!privateKey) {
+  throw new Error("Input required and not supplied: private-key");
+}
 var owner = import_core.default.getInput("owner");
 var repositories = import_core.default.getInput("repositories");
-var skipTokenRevoke = Boolean(import_core.default.getInput("skip_token_revoke"));
+var skipTokenRevoke = Boolean(
+  import_core.default.getInput("skip-token-revoke") || import_core.default.getInput("skip_token_revoke")
+);
 main(
   appId,
   privateKey,

dist/post.cjs

@@ -2811,8 +2811,18 @@ var require_dist_node5 = __commonJS({
     module2.exports = __toCommonJS2(dist_src_exports);
     var import_endpoint = require_dist_node2();
     var import_universal_user_agent = require_dist_node();
-    var VERSION = "8.1.2";
-    var import_is_plain_object = require_is_plain_object();
+    var VERSION = "8.1.6";
+    function isPlainObject(value) {
+      if (typeof value !== "object" || value === null)
+        return false;
+      if (Object.prototype.toString.call(value) !== "[object Object]")
+        return false;
+      const proto = Object.getPrototypeOf(value);
+      if (proto === null)
+        return true;
+      const Ctor = Object.prototype.hasOwnProperty.call(proto, "constructor") && proto.constructor;
+      return typeof Ctor === "function" && Ctor instanceof Ctor && Function.prototype.call(Ctor) === Function.prototype.call(value);
+    }
     var import_request_error = require_dist_node4();
     function getBufferResponse(response) {
       return response.arrayBuffer();
@@ -2821,7 +2831,7 @@ var require_dist_node5 = __commonJS({
       var _a, _b, _c;
       const log = requestOptions.request && requestOptions.request.log ? requestOptions.request.log : console;
       const parseSuccessResponseBody = ((_a = requestOptions.request) == null ? void 0 : _a.parseSuccessResponseBody) !== false;
-      if ((0, import_is_plain_object.isPlainObject)(requestOptions.body) || Array.isArray(requestOptions.body)) {
+      if (isPlainObject(requestOptions.body) || Array.isArray(requestOptions.body)) {
         requestOptions.body = JSON.stringify(requestOptions.body);
       }
       let headers = {};
@@ -2911,7 +2921,15 @@ var require_dist_node5 = __commonJS({
           throw error;
         else if (error.name === "AbortError")
           throw error;
-        throw new import_request_error.RequestError(error.message, 500, {
+        let message = error.message;
+        if (error.name === "TypeError" && "cause" in error) {
+          if (error.cause instanceof Error) {
+            message = error.cause.message;
+          } else if (typeof error.cause === "string") {
+            message = error.cause;
+          }
+        }
+        throw new import_request_error.RequestError(message, 500, {
           request: requestOptions
         });
       });
@@ -2919,7 +2937,7 @@ var require_dist_node5 = __commonJS({
     async function getResponseData(response) {
       const contentType = response.headers.get("content-type");
       if (/application\/json/.test(contentType)) {
-        return response.json();
+        return response.json().catch(() => response.text()).catch(() => "");
       }
       if (!contentType || /^text\/|charset=utf-8$/.test(contentType)) {
         return response.text();
@@ -2973,7 +2991,9 @@ var import_core = __toESM(require_core(), 1);
 
 // lib/post.js
 async function post(core2, request2) {
-  const skipTokenRevoke = Boolean(core2.getInput("skip_token_revoke"));
+  const skipTokenRevoke = Boolean(
+    core2.getInput("skip-token-revoke") || core2.getInput("skip_token_revoke")
+  );
   if (skipTokenRevoke) {
     core2.info("Token revocation was skipped");
     return;

lib/main.js

@@ -1,3 +1,4 @@
+import pRetry from "p-retry";
 // @ts-check
 
 /**
@@ -75,46 +76,26 @@ export async function main(
 
   let authentication;
   // If at least one repository is set, get installation ID from that repository
-  // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
+
   if (parsedRepositoryNames) {
-    const response = await request("GET /repos/{owner}/{repo}/installation", {
-      owner: parsedOwner,
-      repo: parsedRepositoryNames.split(",")[0],
-      headers: {
-        authorization: `bearer ${appAuthentication.token}`,
+    authentication = await pRetry(() => getTokenFromRepository(request, auth, parsedOwner,appAuthentication, parsedRepositoryNames), {
+      onFailedAttempt: (error) => {
+        core.info(
+          `Failed to create token for "${parsedRepositoryNames}" (attempt ${error.attemptNumber}): ${error.message}`
+        );
       },
+      retries: 3,
     });
 
-    // Get token for given repositories
-    authentication = await auth({
-      type: "installation",
-      installationId: response.data.id,
-      repositoryNames: parsedRepositoryNames.split(","),
-    });
   } else {
     // Otherwise get the installation for the owner, which can either be an organization or a user account
-    // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
-    const response = await request("GET /orgs/{org}/installation", {
-      org: parsedOwner,
-      headers: {
-        authorization: `bearer ${appAuthentication.token}`,
+    authentication = await pRetry(() => getTokenFromOwner(request, auth, appAuthentication, parsedOwner), {
+      onFailedAttempt: (error) => {
+        core.info(
+          `Failed to create token for "${parsedOwner}" (attempt ${error.attemptNumber}): ${error.message}`
+        );
       },
-    }).catch((error) => {
-      if (error.status !== 404) throw error;
-
-      // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app
-      return request("GET /users/{username}/installation", {
-        username: parsedOwner,
-        headers: {
-          authorization: `bearer ${appAuthentication.token}`,
-        },
-      });
-    });
-
-    // Get token for for all repositories of the given installation
-    authentication = await auth({
-      type: "installation",
-      installationId: response.data.id,
+      retries: 3,
     });
   }
 
@@ -122,9 +103,57 @@ export async function main(
   core.setSecret(authentication.token);
 
   core.setOutput("token", authentication.token);
-  
+
   // Make token accessible to post function (so we can invalidate it)
   if (!skipTokenRevoke) {
     core.saveState("token", authentication.token);
   }
 }
+
+async function getTokenFromOwner(request, auth, appAuthentication, parsedOwner) {
+  // https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-an-organization-installation-for-the-authenticated-app
+  const response = await request("GET /orgs/{org}/installation", {
+    org: parsedOwner,
+    headers: {
+      authorization: `bearer ${appAuthentication.token}`,
+    },
+  }).catch((error) => {
+    /* c8 ignore next */
+    if (error.status !== 404) throw error;
+
+    // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app
+    return request("GET /users/{username}/installation", {
+      username: parsedOwner,
+      headers: {
+        authorization: `bearer ${appAuthentication.token}`,
+      },
+    });
+  });
+
+  // Get token for for all repositories of the given installation
+  const authentication = await auth({
+    type: "installation",
+    installationId: response.data.id,
+  });
+  return authentication;
+}
+
+async function getTokenFromRepository(request, auth, parsedOwner,appAuthentication, parsedRepositoryNames) {
+  // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
+  const response = await request("GET /repos/{owner}/{repo}/installation", {
+    owner: parsedOwner,
+    repo: parsedRepositoryNames.split(",")[0],
+    headers: {
+      authorization: `bearer ${appAuthentication.token}`,
+    },
+  });
+
+  // Get token for given repositories
+  const authentication = await auth({
+    type: "installation",
+    installationId: response.data.id,
+    repositoryNames: parsedRepositoryNames.split(","),
+  });
+
+  return authentication;
+}

lib/post.js

@@ -5,7 +5,9 @@
  * @param {import("@octokit/request").request} request
  */
 export async function post(core, request) {
-  const skipTokenRevoke = Boolean(core.getInput("skip_token_revoke"));
+  const skipTokenRevoke = Boolean(
+    core.getInput("skip-token-revoke") || core.getInput("skip_token_revoke")
+  );
 
   if (skipTokenRevoke) {
     core.info("Token revocation was skipped");

main.js

@@ -14,12 +14,22 @@ if (!process.env.GITHUB_REPOSITORY_OWNER) {
   throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
 }
 
-const appId = core.getInput("app_id");
-const privateKey = core.getInput("private_key");
+const appId = core.getInput("app-id") || core.getInput("app_id");
+if (!appId) {
+  // The 'app_id' input was previously required, but it and 'app-id' are both optional now, until the former is removed. Still, we want to ensure that at least one of them is set.
+  throw new Error("Input required and not supplied: app-id");
+}
+const privateKey = core.getInput("private-key") || core.getInput("private_key");
+if (!privateKey) {
+  // The 'private_key' input was previously required, but it and 'private-key' are both optional now, until the former is removed. Still, we want to ensure that at least one of them is set.
+  throw new Error("Input required and not supplied: private-key");
+}
 const owner = core.getInput("owner");
 const repositories = core.getInput("repositories");
 
-const skipTokenRevoke = Boolean(core.getInput("skip_token_revoke"));
+const skipTokenRevoke = Boolean(
+  core.getInput("skip-token-revoke") || core.getInput("skip_token_revoke")
+);
 
 main(
   appId,
@@ -33,6 +43,7 @@ main(
   }),
   skipTokenRevoke
 ).catch((error) => {
+  /* c8 ignore next 3 */
   console.error(error);
   core.setFailed(error.message);
 });

package.json

@@ -2,24 +2,30 @@
   "name": "create-github-app-token",
   "private": true,
   "type": "module",
-  "version": "1.4.0",
+  "version": "1.6.1",
   "description": "GitHub Action for creating a GitHub App Installation Access Token",
   "scripts": {
-    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node16.16",
-    "test": "ava tests/index.js"
+    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0",
+    "test": "c8 --100 ava tests/index.js",
+    "coverage": "c8 report --reporter html",
+    "postcoverage": "open-cli coverage/index.html"
   },
   "license": "MIT",
   "dependencies": {
     "@actions/core": "^1.10.1",
     "@octokit/auth-app": "^6.0.1",
-    "@octokit/request": "^8.1.2"
+    "@octokit/request": "^8.1.6",
+    "p-retry": "^6.1.0"
   },
   "devDependencies": {
     "ava": "^5.3.1",
+    "c8": "^8.0.1",
     "dotenv": "^16.3.1",
-    "esbuild": "^0.19.4",
+    "esbuild": "^0.19.8",
     "execa": "^8.0.1",
-    "undici": "^5.25.2"
+    "open-cli": "^7.2.0",
+    "undici": "^5.28.2",
+    "yaml": "^2.3.4"
   },
   "release": {
     "branches": [

post.js

@@ -11,6 +11,7 @@ post(
     baseUrl: process.env["GITHUB_API_URL"],
   })
 ).catch((error) => {
+  /* c8 ignore next 3 */
   console.error(error);
   core.setFailed(error.message);
 });

tests/action-deprecated-inputs.test.js

@@ -0,0 +1,16 @@
+import { readFileSync } from "node:fs";
+import * as url from "node:url";
+import YAML from "yaml";
+
+const action = YAML.parse(
+  readFileSync(
+    url.fileURLToPath(new URL("../action.yml", import.meta.url)),
+    "utf8"
+  )
+);
+
+for (const [key, value] of Object.entries(action.inputs)) {
+  if ("deprecationMessage" in value) {
+    console.log(`${key} — ${value.deprecationMessage}`);
+  }
+}

tests/index.js

@@ -7,7 +7,12 @@ const tests = readdirSync("tests").filter((file) => file.endsWith(".test.js"));
 
 for (const file of tests) {
   test(file, async (t) => {
-    const { stderr, stdout } = await execa("node", [`tests/${file}`]);
+    // Override Actions environment variables that change `core`’s behavior
+    const env = {
+      GITHUB_OUTPUT: undefined,
+      GITHUB_STATE: undefined,
+    };
+    const { stderr, stdout } = await execa("node", [`tests/${file}`], { env });
     t.snapshot(stderr, "stderr");
     t.snapshot(stdout, "stdout");
   });

tests/main-missing-app-id.test.js

@@ -0,0 +1,9 @@
+process.env.GITHUB_REPOSITORY_OWNER = "actions";
+process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+
+// Verify `main` exits with an error when neither the `app-id` nor `app_id` input is set.
+try {
+  await import("../main.js");
+} catch (error) {
+  console.error(error.message);
+}

tests/main-missing-owner.test.js

@@ -0,0 +1,9 @@
+process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+delete process.env.GITHUB_REPOSITORY_OWNER;
+
+// Verify `main` exits with an error when `GITHUB_REPOSITORY_OWNER` is missing.
+try {
+  await import("../main.js");
+} catch (error) {
+  console.error(error.message);
+}

tests/main-missing-private-key.test.js

@@ -0,0 +1,10 @@
+process.env.GITHUB_REPOSITORY_OWNER = "actions";
+process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+process.env["INPUT_APP-ID"] = "123456";
+
+// Verify `main` exits with an error when neither the `private-key` nor `private_key` input is set.
+try {
+  await import("../main.js");
+} catch (error) {
+  console.error(error.message);
+}

tests/main-missing-repository.test.js

@@ -0,0 +1,8 @@
+delete process.env.GITHUB_REPOSITORY;
+
+// Verify `main` exits with an error when `GITHUB_REPOSITORY` is missing.
+try {
+  await import("../main.js");
+} catch (error) {
+  console.error(error.message);
+}

tests/main-token-get-owner-set-repo-fail-response.test.js

@@ -0,0 +1,39 @@
+import { test } from "./main.js";
+
+// Verify `main` retry when  the GitHub API returns a 500 error.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = 'actions'
+  process.env.INPUT_REPOSITORIES = 'failed-repo';
+  const owner = process.env.INPUT_OWNER
+  const repo = process.env.INPUT_REPOSITORIES
+  const mockInstallationId = "123456";
+
+  mockPool
+    .intercept({
+      path: `/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(500, 'GitHub API not available')
+    
+    mockPool
+    .intercept({
+      path: `/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId },
+      { headers: { "content-type": "application/json" } }
+    );
+
+});

tests/main-token-get-owner-set-repo-set-to-many.test.js

@@ -0,0 +1,7 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` and `repositories` inputs are set (and the latter is a list of repos).
+await test(() => {
+  process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
+  process.env.INPUT_REPOSITORIES = `${process.env.GITHUB_REPOSITORY},actions/toolkit`;
+});

tests/main-token-get-owner-set-repo-set-to-one.test.js

@@ -0,0 +1,7 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` and `repositories` inputs are set (and the latter is a single repo).
+await test(() => {
+  process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
+  process.env.INPUT_REPOSITORIES = process.env.GITHUB_REPOSITORY;
+});

tests/main-token-get-owner-set-to-org-repo-unset.test.js

@@ -0,0 +1,25 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` input is set (to an org), but the `repositories` input isn’t set.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
+  delete process.env.INPUT_REPOSITORIES;
+
+  // Mock installation id request
+  const mockInstallationId = "123456";
+  mockPool
+    .intercept({
+      path: `/orgs/${process.env.INPUT_OWNER}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main-token-get-owner-set-to-user-fail-response.test.js

@@ -0,0 +1,36 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` input is set (to a user), but the `repositories` input isn’t set.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = "smockle";
+  delete process.env.INPUT_REPOSITORIES;
+
+  // Mock installation id request
+  const mockInstallationId = "123456";
+  mockPool
+    .intercept({
+      path: `/orgs/${process.env.INPUT_OWNER}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(500, 'GitHub API not available')
+    mockPool
+    .intercept({
+      path: `/orgs/${process.env.INPUT_OWNER}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main-token-get-owner-set-to-user-repo-unset.test.js

@@ -0,0 +1,36 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` input is set (to a user), but the `repositories` input isn’t set.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = "smockle";
+  delete process.env.INPUT_REPOSITORIES;
+
+  // Mock installation id request
+  const mockInstallationId = "123456";
+  mockPool
+    .intercept({
+      path: `/orgs/${process.env.INPUT_OWNER}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(404);
+  mockPool
+    .intercept({
+      path: `/users/${process.env.INPUT_OWNER}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main-token-get-owner-unset-repo-set.test.js

@@ -0,0 +1,7 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` input is not set, but the `repositories` input is set.
+await test(() => {
+  delete process.env.INPUT_OWNER;
+  process.env.INPUT_REPOSITORIES = process.env.GITHUB_REPOSITORY;
+});

tests/main-token-get-owner-unset-repo-unset.test.js

@@ -0,0 +1,25 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when neither the `owner` nor `repositories` input is set.
+await test((mockPool) => {
+  delete process.env.INPUT_OWNER;
+  delete process.env.INPUT_REPOSITORIES;
+
+  // Mock installation id request
+  const mockInstallationId = "123456";
+  mockPool
+    .intercept({
+      path: `/repos/${process.env.GITHUB_REPOSITORY}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main.js

@@ -0,0 +1,96 @@
+// Base for all `main` tests.
+// @ts-check
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+export async function test(cb = (_mockPool) => {}) {
+  // Set required environment variables and inputs
+  process.env.GITHUB_REPOSITORY_OWNER = "actions";
+  process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+  // inputs are set as environment variables with the prefix INPUT_
+  // https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+  process.env["INPUT_APP-ID"] = "123456";
+  process.env["INPUT_PRIVATE-KEY"] = `-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA280nfuUM9w00Ib9E2rvZJ6Qu3Ua3IqR34ZlK53vn/Iobn2EL
+Z9puc5Q/nFBU15NKwHyQNb+OG2hTCkjd1Xi9XPzEOH1r42YQmTGq8YCkUSkk6KZA
+5dnhLwN9pFquT9fQgrf4r1D5GJj3rqvj8JDr1sBmunArqY5u4gziSrIohcjLIZV0
+cIMz/RUIMe/EAsNeiwzEteHAtf/WpMs+OfF94SIUrDlkPr0H0H3DER8l1HZAvE0e
+eD3ZJ6njrF6UHQWDVrekSTB0clpVTTU9TMpe+gs2nnFww9G8As+WsW8xHVjVipJy
+AwqBhiR+s7wlcbh2i0NQqt8GL9/jIFTmleiwsQIDAQABAoIBAHNyP8pgl/yyzKzk
+/0871wUBMTQ7zji91dGCaFtJM0HrcDK4D/uOOPEv7nE1qDpKPLr5Me1pHUS7+NGw
+EAPtlNhgUtew2JfppdIwyi5qeOPADoi7ud6AH8xHsxg+IMwC+JuP8WhzyUHoJj9y
+PRi/pX94Mvy9qdE25HqKddjx1mLdaHhxqPkr16/em23uYZqm1lORsCPD3vTlthj7
+WiEbBSqmpYvjj8iFP4yFk2N+LvuWgSilRzq1Af3qE7PUp4xhjmcOPs78Sag1T7nl
+ww/pgqCegISABHik7j++/5T+UlI5cLsyp/XENU9zAd4kCIczwNKpun2bn+djJdft
+ravyX4ECgYEA+k2mHfi1zwKF3wT+cJbf30+uXrJczK2yZ33//4RKnhBaq7nSbQAI
+nhWz2JESBK0TEo0+L7yYYq3HnT9vcES5R1NxzruH9wXgxssSx3JUj6w1raXYPh3B
++1XpYQsa6/bo2LmBELEx47F8FQbNgD5dmTJ4jBrf6MV4rRh9h6Bs7UkCgYEA4M3K
+eAw52c2MNMIxH/LxdOQtEBq5GMu3AQC8I64DSSRrAoiypfEgyTV6S4gWJ5TKgYfD
+zclnOVJF+tITe3neO9wHoZp8iCjCnoijcT6p2cJ4IaW68LEHPOokWBk0EpLjF4p2
+7sFi9+lUpXYXfCN7aMJ77QpGzB7dNsBf0KUxMCkCgYEAjw/mjGbk82bLwUaHby6s
+0mQmk7V6WPpGZ+Sadx7TzzglutVAslA8nK5m1rdEBywtJINaMcqnhm8xEm15cj+1
+blEBUVnaQpQ3fyf+mcR9FIknPRL3X7l+b/sQowjH4GqFd6m/XR0KGMwO0a3Lsyry
+MGeqgtmxdMe5S6YdyXEmERECgYAgQsgklDSVIh9Vzux31kh6auhgoEUh3tJDbZSS
+Vj2YeIZ21aE1mTYISglj34K2aW7qSc56sMWEf18VkKJFHQccdgYOVfo7HAZZ8+fo
+r4J2gqb0xTDfq7gLMNrIXc2QQM4gKbnJp60JQM3p9NmH8huavBZGvSvNzTwXyGG3
+so0tiQKBgGQXZaxaXhYUcxYHuCkQ3V4Vsj3ezlM92xXlP32SGFm3KgFhYy9kATxw
+Cax1ytZzvlrKLQyQFVK1COs2rHt7W4cJ7op7C8zXfsigXCiejnS664oAuX8sQZID
+x3WQZRiXlWejSMUAHuMwXrhGlltF3lw83+xAjnqsVp75kGS6OH61
+-----END RSA PRIVATE KEY-----`; // This key is invalidated. It’s from https://github.com/octokit/auth-app.js/issues/465#issuecomment-1564998327.
+
+  // Set up mocking
+  const mockAgent = new MockAgent();
+  mockAgent.disableNetConnect();
+  setGlobalDispatcher(mockAgent);
+  const mockPool = mockAgent.get("https://api.github.com");
+
+  // Calling `auth({ type: "app" })` to obtain a JWT doesn’t make network requests, so no need to intercept.
+
+  // Mock installation id request
+  const mockInstallationId = "123456";
+  const owner = process.env.INPUT_OWNER ?? process.env.GITHUB_REPOSITORY_OWNER;
+  const repo = encodeURIComponent(
+    (process.env.INPUT_REPOSITORIES ?? process.env.GITHUB_REPOSITORY).split(
+      ","
+    )[0]
+  );
+  mockPool
+    .intercept({
+      path: `/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId },
+      { headers: { "content-type": "application/json" } }
+    );
+
+  // Mock installation access token request
+  const mockInstallationAccessToken =
+    "ghs_16C7e42F292c6912E7710c838347Ae178B4a"; // This token is invalidated. It’s from https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app.
+  mockPool
+    .intercept({
+      path: `/app/installations/${mockInstallationId}/access_tokens`,
+      method: "POST",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Note: Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      201,
+      { token: mockInstallationAccessToken },
+      { headers: { "content-type": "application/json" } }
+    );
+
+  // Run the callback
+  cb(mockPool);
+
+  // Run the main script
+  await import("../main.js");
+}

tests/post-token-skipped.test.js

@@ -6,7 +6,7 @@ process.env.STATE_token = "secret123";
 
 // inputs are set as environment variables with the prefix INPUT_
 // https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
-process.env.INPUT_SKIP_TOKEN_REVOKE = "true";
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "true";
 
 const mockAgent = new MockAgent();
 

tests/snapshots/index.js.md

@@ -4,6 +4,172 @@ The actual snapshot is saved in `index.js.snap`.
 
 Generated by [AVA](https://avajs.dev).
 
+## action-deprecated-inputs.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `app_id — 'app_id' is deprecated and will be removed in a future version. Use 'app-id' instead.␊
+    private_key — 'private_key' is deprecated and will be removed in a future version. Use 'private-key' instead.␊
+    skip_token_revoke — 'skip_token_revoke' is deprecated and will be removed in a future version. Use 'skip-token-revoke' instead.`
+
+## main-missing-app-id.test.js
+
+> stderr
+
+    'Input required and not supplied: app-id'
+
+> stdout
+
+    ''
+
+## main-missing-owner.test.js
+
+> stderr
+
+    'GITHUB_REPOSITORY_OWNER missing, must be set to \'<owner>\''
+
+> stdout
+
+    ''
+
+## main-missing-private-key.test.js
+
+> stderr
+
+    'Input required and not supplied: private-key'
+
+> stdout
+
+    ''
+
+## main-missing-repository.test.js
+
+> stderr
+
+    'GITHUB_REPOSITORY missing, must be set to \'<owner>/<repo>\''
+
+> stdout
+
+    ''
+
+## main-token-get-owner-set-repo-fail-response.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `owner and repositories set, creating token for repositories "failed-repo" owned by "actions"␊
+    Failed to create token for "failed-repo" (attempt 1): GitHub API not available␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+
+## main-token-get-owner-set-repo-set-to-many.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `owner and repositories set, creating token for repositories "actions/create-github-app-token,actions/toolkit" owned by "actions"␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+
+## main-token-get-owner-set-repo-set-to-one.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `owner and repositories set, creating token for repositories "actions/create-github-app-token" owned by "actions"␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+
+## main-token-get-owner-set-to-org-repo-unset.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `repositories not set, creating token for all repositories for given owner "actions"␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+
+## main-token-get-owner-set-to-user-fail-response.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `repositories not set, creating token for all repositories for given owner "smockle"␊
+    Failed to create token for "smockle" (attempt 1): GitHub API not available␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+
+## main-token-get-owner-set-to-user-repo-unset.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `repositories not set, creating token for all repositories for given owner "smockle"␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+
+## main-token-get-owner-unset-repo-set.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `owner not set, creating owner for given repositories "actions/create-github-app-token" in current owner ("actions")␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+
+## main-token-get-owner-unset-repo-unset.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `owner and repositories not set, creating token for the current repository ("create-github-app-token")␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+
 ## post-token-set.test.js
 
 > stderr