build(release): 1.10.3 [skip ci]

## [1.10.3](https://github.com/actions/create-github-app-token/compare/v1.10.2...v1.10.3) (2024-07-01)

### Bug Fixes

* **deps:** bump undici from 6.18.2 to 6.19.2 in the production-dependencies group ([#149](https://github.com/actions/create-github-app-token/issues/149)) ([cc82279](https://github.com/actions/create-github-app-token/commit/cc82279e84540c5543078cedc5af4fcfab0a96bb)), closes [#3337](https://github.com/actions/create-github-app-token/issues/3337) [nodejs/undici#3338](https://github.com/nodejs/undici/issues/3338) [nodejs/undici#3340](https://github.com/nodejs/undici/issues/3340) [nodejs/undici#3332](https://github.com/nodejs/undici/issues/3332) [nodejs/undici#3335](https://github.com/nodejs/undici/issues/3335) [nodejs/undici#3305](https://github.com/nodejs/undici/issues/3305) [nodejs/undici#3303](https://github.com/nodejs/undici/issues/3303) [nodejs/undici#3304](https://github.com/nodejs/undici/issues/3304) [nodejs/undici#3306](https://github.com/nodejs/undici/issues/3306) [nodejs/undici#3309](https://github.com/nodejs/undici/issues/3309) [nodejs/undici#3313](https://github.com/nodejs/undici/issues/3313) [nodejs/undici#3311](https://github.com/nodejs/undici/issues/3311) [nodejs/undici#3107](https://github.com/nodejs/undici/issues/3107) [nodejs/undici#3302](https://github.com/nodejs/undici/issues/3302) [nodejs/undici#3320](https://github.com/nodejs/undici/issues/3320) [nodejs/undici#3321](https://github.com/nodejs/undici/issues/3321) [nodejs/undici#3316](https://github.com/nodejs/undici/issues/3316) [nodejs/undici#3318](https://github.com/nodejs/undici/issues/3318) [nodejs/undici#3326](https://github.com/nodejs/undici/issues/3326) [nodejs/undici#3324](https://github.com/nodejs/undici/issues/3324) [nodejs/undici#3325](https://github.com/nodejs/undici/issues/3325) [nodejs/undici#3316](https://github.com/nodejs/undici/issues/3316) [nodejs/undici#3318](https://github.com/nodejs/undici/issues/3318) [#3342](https://github.com/actions/create-github-app-token/issues/3342) [#3332](https://github.com/actions/create-github-app-token/issues/3332) [#3340](https://github.com/actions/create-github-app-token/issues/3340) [#3337](https://github.com/actions/create-github-app-token/issues/3337) [#3338](https://github.com/actions/create-github-app-token/issues/3338) [#3336](https://github.com/actions/create-github-app-token/issues/3336) [#3335](https://github.com/actions/create-github-app-token/issues/3335) [#3325](https://github.com/actions/create-github-app-token/issues/3325) [#3324](https://github.com/actions/create-github-app-token/issues/3324) [#3326](https://github.com/actions/create-github-app-token/issues/3326)

README.md

@@ -12,10 +12,17 @@ In order to use this action, you need to:
 2. [Store the App's ID in your repository environment variables](https://docs.github.com/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_ID`)
 3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets?tool=webui#creating-encrypted-secrets-for-a-repository) (example: `PRIVATE_KEY`)
 
+> [!IMPORTANT]  
+> An installation access token expires after 1 hour. Please [see this comment](https://github.com/actions/create-github-app-token/issues/121#issuecomment-2043214796) for alternative approaches if you have long-running processes.
+
 ### Create a token for the current repository
 
 ```yaml
-on: [issues]
+name: Run tests on staging
+on:
+  push:
+    branches:
+      - main
 
 jobs:
   hello-world:
@@ -26,11 +33,9 @@ jobs:
         with:
           app-id: ${{ vars.APP_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
-      - uses: peter-evans/create-or-update-comment@v3
+      - uses: ./actions/staging-tests
         with:
           token: ${{ steps.app-token.outputs.token }}
-          issue-number: ${{ github.event.issue.number }}
-          body: "Hello, World!"
 ```
 
 ### Use app token with `actions/checkout`
@@ -59,6 +64,64 @@ jobs:
           github_token: ${{ steps.app-token.outputs.token }}
 ```
 
+### Create a git committer string for an app installation
+
+```yaml
+on: [pull_request]
+
+jobs:
+  auto-format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          # required
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+      - name: Retrieve GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.generate-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - id: committer
+        run: echo "string=${{steps.app-token.outputs.app-slug}}[bot] <${{steps.get-user-id.outputs.user-id}}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"  >> "$GITHUB_OUTPUT"
+      - run: echo "committer string is ${{steps.committer.outputs.string}}"
+```
+
+### Configure git CLI for an app's bot user
+
+```yaml
+on: [pull_request]
+
+jobs:
+  auto-format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          # required
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+      - name: Retrieve GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.generate-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - run: |
+          git config --global user.name '${{steps.app-token.outputs.app-slug}}[bot]'
+          git config --global user.email '${{steps.get-user-id.outputs.user-id}}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
+      # git commands like commit work using the bot user
+      - run: |
+          git add .
+          git commit -m "Auto-generated changes"
+          git push
+```
+
+The `<BOT USER ID>` is the numeric user ID of the app's bot user, which can be found under `https://api.github.com/users/<app-slug>%5Bbot%5D`.
+For example, we can check at `https://api.github.com/users/dependabot%5Bbot%5D` to see the user ID of dependabot is 49699333.
+
 ### Create a token for all repositories in the current owner's installation
 
 ```yaml
@@ -146,7 +209,7 @@ jobs:
         run: echo 'matrix=[{"owner":"owner1"},{"owner":"owner2","repos":["repo1"]}]' >>"$GITHUB_OUTPUT"
 
   use-matrix:
-    name: '@${{ matrix.owners-and-repos.owner }} installation'
+    name: "@${{ matrix.owners-and-repos.owner }} installation"
     needs: [set-matrix]
     runs-on: ubuntu-latest
     strategy:
@@ -157,8 +220,8 @@ jobs:
       - uses: actions/create-github-app-token@v1
         id: app-token
         with:
-          app_id: ${{ vars.APP_ID }}
-          private_key: ${{ secrets.PRIVATE_KEY }}
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
           owner: ${{ matrix.owners-and-repos.owner }}
           repositories: ${{ join(matrix.owners-and-repos.repos) }}
       - uses: octokit/request-action@v2.x
@@ -172,6 +235,35 @@ jobs:
           MULTILINE_JSON_STRING: ${{ steps.get-installation-repositories.outputs.data }}
 ```
 
+### Run the workflow in a github.com repository against an organization in GitHub Enterprise Server
+
+```yaml
+on: [push]
+
+jobs:
+  create_issue:
+    runs-on: self-hosted
+
+    steps:
+    - name: Create GitHub App token
+      id: create_token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ vars.GHES_APP_ID }}
+        private-key: ${{ secrets.GHES_APP_PRIVATE_KEY }}
+        owner: ${{ vars.GHES_INSTALLATION_ORG }}
+        github-api-url: ${{ vars.GITHUB_API_URL }}
+
+    - name: Create issue
+      uses: octokit/request-action@v2.x
+      with:
+        route: POST /repos/${{ github.repository }}/issues
+        title: "New issue from workflow"
+        body: "This is a new issue created from a GitHub Action workflow."
+      env:
+        GITHUB_TOKEN: ${{ steps.create_token.outputs.token }}
+```
+
 ## Inputs
 
 ### `app-id`
@@ -180,11 +272,11 @@ jobs:
 
 ### `private-key`
 
-**Required:** GitHub App private key.
+**Required:** GitHub App private key. Escaped newlines (`\\n`) will be automatically replaced with actual newlines.
 
 ### `owner`
 
-**Optional:** GitHub App installation owner. If empty, defaults to the current repository owner.
+**Optional:** The owner of the GitHub App installation. If empty, defaults to the current repository owner.
 
 ### `repositories`
 
@@ -197,12 +289,24 @@ jobs:
 
 **Optional:** If truthy, the token will not be revoked when the current job is complete.
 
+### `github-api-url`
+
+**Optional:** The URL of the GitHub REST API. Defaults to the URL of the GitHub Rest API where the workflow is run from.
+
 ## Outputs
 
 ### `token`
 
 GitHub App installation access token.
 
+### `installation-id`
+
+GitHub App installation ID.
+
+### `app-slug`
+
+GitHub App slug.
+
 ## How it works
 
 The action creates an installation access token using [the `POST /app/installations/{installation_id}/access_tokens` endpoint](https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app). By default,

action.yml

@@ -20,7 +20,7 @@ inputs:
     required: false
     deprecationMessage: "'private_key' is deprecated and will be removed in a future version. Use 'private-key' instead."
   owner:
-    description: "GitHub App owner (defaults to current repository owner)"
+    description: "The owner of the GitHub App installation (defaults to current repository owner)"
     required: false
   repositories:
     description: "Repositories to install the GitHub App on (defaults to current repository if owner is unset)"
@@ -32,9 +32,18 @@ inputs:
     description: "If truthy, the token will not be revoked when the current job is complete"
     required: false
     deprecationMessage: "'skip_token_revoke' is deprecated and will be removed in a future version. Use 'skip-token-revoke' instead."
+  # Make GitHub API configurable to support non-GitHub Cloud use cases
+  # see https://github.com/actions/create-github-app-token/issues/77
+  github-api-url:
+    description: The URL of the GitHub REST API.
+    default: ${{ github.api_url }}
 outputs:
   token:
     description: "GitHub installation access token"
+  installation-id:
+    description: "GitHub App installation ID"
+  app-slug:
+    description: "GitHub App slug"
 runs:
   using: "node20"
   main: "dist/main.cjs"

lib/main.js

@@ -70,52 +70,50 @@ export async function main(
     request,
   });
 
-  const appAuthentication = await auth({
-    type: "app",
-  });
-
-  let authentication;
+  let authentication, installationId, appSlug;
   // If at least one repository is set, get installation ID from that repository
 
   if (parsedRepositoryNames) {
-    authentication = await pRetry(() => getTokenFromRepository(request, auth, parsedOwner,appAuthentication, parsedRepositoryNames), {
+    ({ authentication, installationId, appSlug } = await pRetry(() => getTokenFromRepository(request, auth, parsedOwner, parsedRepositoryNames), {
       onFailedAttempt: (error) => {
         core.info(
           `Failed to create token for "${parsedRepositoryNames}" (attempt ${error.attemptNumber}): ${error.message}`
         );
       },
       retries: 3,
-    });
-
+    }));
   } else {
     // Otherwise get the installation for the owner, which can either be an organization or a user account
-    authentication = await pRetry(() => getTokenFromOwner(request, auth, appAuthentication, parsedOwner), {
+    ({ authentication, installationId, appSlug } = await pRetry(() => getTokenFromOwner(request, auth, parsedOwner), {
       onFailedAttempt: (error) => {
         core.info(
           `Failed to create token for "${parsedOwner}" (attempt ${error.attemptNumber}): ${error.message}`
         );
       },
       retries: 3,
-    });
+    }));
   }
 
   // Register the token with the runner as a secret to ensure it is masked in logs
   core.setSecret(authentication.token);
 
   core.setOutput("token", authentication.token);
+  core.setOutput("installation-id", installationId);
+  core.setOutput("app-slug", appSlug);
 
   // Make token accessible to post function (so we can invalidate it)
   if (!skipTokenRevoke) {
     core.saveState("token", authentication.token);
+    core.saveState("expiresAt", authentication.expiresAt);
   }
 }
 
-async function getTokenFromOwner(request, auth, appAuthentication, parsedOwner) {
+async function getTokenFromOwner(request, auth, parsedOwner) {
   // https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-an-organization-installation-for-the-authenticated-app
   const response = await request("GET /orgs/{org}/installation", {
     org: parsedOwner,
-    headers: {
-      authorization: `bearer ${appAuthentication.token}`,
+    request: {
+      hook: auth.hook,
     },
   }).catch((error) => {
     /* c8 ignore next */
@@ -124,8 +122,8 @@ async function getTokenFromOwner(request, auth, appAuthentication, parsedOwner)
     // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app
     return request("GET /users/{username}/installation", {
       username: parsedOwner,
-      headers: {
-        authorization: `bearer ${appAuthentication.token}`,
+      request: {
+        hook: auth.hook,
       },
     });
   });
@@ -135,16 +133,20 @@ async function getTokenFromOwner(request, auth, appAuthentication, parsedOwner)
     type: "installation",
     installationId: response.data.id,
   });
-  return authentication;
+
+  const installationId = response.data.id;
+  const appSlug = response.data['app_slug'];
+
+  return { authentication, installationId, appSlug };
 }
 
-async function getTokenFromRepository(request, auth, parsedOwner,appAuthentication, parsedRepositoryNames) {
+async function getTokenFromRepository(request, auth, parsedOwner, parsedRepositoryNames) {
   // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
   const response = await request("GET /repos/{owner}/{repo}/installation", {
     owner: parsedOwner,
     repo: parsedRepositoryNames.split(",")[0],
-    headers: {
-      authorization: `bearer ${appAuthentication.token}`,
+    request: {
+      hook: auth.hook,
     },
   });
 
@@ -155,5 +157,8 @@ async function getTokenFromRepository(request, auth, parsedOwner,appAuthenticati
     repositoryNames: parsedRepositoryNames.split(","),
   });
 
-  return authentication;
-}
+  const installationId = response.data.id;
+  const appSlug = response.data['app_slug'];
+
+  return { authentication, installationId, appSlug };
+ }

lib/post.js

@@ -21,11 +21,31 @@ export async function post(core, request) {
     return;
   }
 
-  await request("DELETE /installation/token", {
-    headers: {
-      authorization: `token ${token}`,
-    },
-  });
+  const expiresAt = core.getState("expiresAt");
+  if (expiresAt && tokenExpiresIn(expiresAt) < 0) {
+    core.info("Token expired, skipping token revocation");
+    return;
+  }
 
-  core.info("Token revoked");
+  try {
+    await request("DELETE /installation/token", {
+      headers: {
+        authorization: `token ${token}`,
+      },
+    });
+    core.info("Token revoked");
+  } catch (error) {
+    core.warning(
+      `Token revocation failed: ${error.message}`)
+  }
+}
+
+/**
+ * @param {string} expiresAt
+ */
+function tokenExpiresIn(expiresAt) {
+  const now = new Date();
+  const expiresAtDate = new Date(expiresAt);
+
+  return Math.round((expiresAtDate.getTime() - now.getTime()) / 1000);
 }

lib/request.js

@@ -1,8 +1,41 @@
+import core from "@actions/core";
 import { request } from "@octokit/request";
+import { ProxyAgent, fetch as undiciFetch } from "undici";
+
+const baseUrl = core.getInput("github-api-url").replace(/\/$/, "");
+
+// https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners
+const proxyUrl =
+  process.env.https_proxy ||
+  process.env.HTTPS_PROXY ||
+  process.env.http_proxy ||
+  process.env.HTTP_PROXY;
+
+/* c8 ignore start */
+// Native support for proxies in Undici is under consideration: https://github.com/nodejs/undici/issues/1650
+// Until then, we need to use a custom fetch function to add proxy support.
+const proxyFetch = (url, options) => {
+  const urlHost = new URL(url).hostname;
+  const noProxy = (process.env.no_proxy || process.env.NO_PROXY || "").split(
+    ","
+  );
+
+  if (!noProxy.includes(urlHost)) {
+    options = {
+      ...options,
+      dispatcher: new ProxyAgent(String(proxyUrl)),
+    };
+  }
+
+  return undiciFetch(url, options);
+};
+/* c8 ignore stop */
 
 export default request.defaults({
-  baseUrl: process.env["GITHUB_API_URL"],
   headers: {
     "user-agent": "actions/create-github-app-token",
   },
+  baseUrl,
+  /* c8 ignore next */
+  request: proxyUrl ? { fetch: proxyFetch } : {},
 });

main.js

@@ -38,9 +38,7 @@ main(
   repositories,
   core,
   createAppAuth,
-  request.defaults({
-    baseUrl: process.env["GITHUB_API_URL"],
-  }),
+  request,
   skipTokenRevoke
 ).catch((error) => {
   /* c8 ignore next 3 */

package.json

@@ -2,7 +2,7 @@
   "name": "create-github-app-token",
   "private": true,
   "type": "module",
-  "version": "1.6.1",
+  "version": "1.10.3",
   "description": "GitHub Action for creating a GitHub App Installation Access Token",
   "scripts": {
     "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0",
@@ -13,19 +13,20 @@
   "license": "MIT",
   "dependencies": {
     "@actions/core": "^1.10.1",
-    "@octokit/auth-app": "^6.0.1",
-    "@octokit/request": "^8.1.6",
-    "p-retry": "^6.1.0"
+    "@octokit/auth-app": "^7.1.0",
+    "@octokit/request": "^9.0.1",
+    "p-retry": "^6.2.0",
+    "undici": "^6.19.2"
   },
   "devDependencies": {
-    "ava": "^5.3.1",
-    "c8": "^8.0.1",
-    "dotenv": "^16.3.1",
-    "esbuild": "^0.19.8",
-    "execa": "^8.0.1",
-    "open-cli": "^7.2.0",
-    "undici": "^5.28.2",
-    "yaml": "^2.3.4"
+    "@sinonjs/fake-timers": "^11.2.2",
+    "ava": "^6.1.3",
+    "c8": "^9.1.0",
+    "dotenv": "^16.4.5",
+    "esbuild": "^0.21.4",
+    "execa": "^9.1.0",
+    "open-cli": "^8.0.0",
+    "yaml": "^2.4.2"
   },
   "release": {
     "branches": [

post.js

@@ -5,12 +5,7 @@ import core from "@actions/core";
 import { post } from "./lib/post.js";
 import request from "./lib/request.js";
 
-post(
-  core,
-  request.defaults({
-    baseUrl: process.env["GITHUB_API_URL"],
-  })
-).catch((error) => {
+post(core, request).catch((error) => {
   /* c8 ignore next 3 */
   console.error(error);
   core.setFailed(error.message);

tests/main-custom-github-api-url.test.js

@@ -0,0 +1,13 @@
+import { test, DEFAULT_ENV } from "./main.js";
+
+// Verify that main works with a custom GitHub API URL passed as `github-api-url` input
+await test(
+  () => {
+    process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
+    process.env.INPUT_REPOSITORIES = process.env.GITHUB_REPOSITORY;
+  },
+  {
+    ...DEFAULT_ENV,
+    "INPUT_GITHUB-API-URL": "https://github.acme-inc.com/api/v3",
+  }
+);

tests/main-private-key-with-escaped-newlines.js

@@ -0,0 +1,6 @@
+import { test, DEFAULT_ENV } from "./main.js";
+
+// Verify `main` works correctly when `private-key` input has escaped newlines
+await test(() => {
+  process.env['INPUT_PRIVATE-KEY'] = DEFAULT_ENV.PRIVATE_KEY.replace(/\n/g, '\\n')
+});

tests/main-repo-skew.js

@@ -0,0 +1,58 @@
+import { test } from "./main.js";
+
+import { install } from "@sinonjs/fake-timers";
+
+// Verify `main` retry when the clock has drifted.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = 'actions'
+  process.env.INPUT_REPOSITORIES = 'failed-repo';
+  const owner = process.env.INPUT_OWNER
+  const repo = process.env.INPUT_REPOSITORIES
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+
+  install({ now: 0, toFake: ["Date"] });
+
+  mockPool
+    .intercept({
+      path: `/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(({ headers }) => {
+      const [_, jwt] = (headers.authorization || "").split(" ");
+      const payload = JSON.parse(Buffer.from(jwt.split(".")[1], "base64").toString());
+
+      if (payload.iat < 0) {
+        return {
+          statusCode: 401,
+          data: {
+            message: "'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued."
+          },
+          responseOptions: {
+            headers: {
+              "content-type": "application/json",
+              "date": new Date(Date.now() + 30000).toUTCString()
+            }
+          }
+        };
+      }
+
+      return {
+        statusCode: 200,
+        data: {
+          id: mockInstallationId,
+          "app_slug": mockAppSlug
+        },
+        responseOptions: {
+          headers: {
+            "content-type": "application/json"
+          }
+        }
+      };
+    }).times(2);
+});

tests/main-token-get-owner-set-repo-fail-response.test.js

@@ -2,11 +2,12 @@ import { test } from "./main.js";
 
 // Verify `main` retry when  the GitHub API returns a 500 error.
 await test((mockPool) => {
-  process.env.INPUT_OWNER = 'actions'
-  process.env.INPUT_REPOSITORIES = 'failed-repo';
-  const owner = process.env.INPUT_OWNER
-  const repo = process.env.INPUT_REPOSITORIES
+  process.env.INPUT_OWNER = "actions";
+  process.env.INPUT_REPOSITORIES = "failed-repo";
+  const owner = process.env.INPUT_OWNER;
+  const repo = process.env.INPUT_REPOSITORIES;
   const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
 
   mockPool
     .intercept({
@@ -18,9 +19,9 @@ await test((mockPool) => {
         // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
       },
     })
-    .reply(500, 'GitHub API not available')
-    
-    mockPool
+    .reply(500, "GitHub API not available");
+
+  mockPool
     .intercept({
       path: `/repos/${owner}/${repo}/installation`,
       method: "GET",
@@ -32,8 +33,7 @@ await test((mockPool) => {
     })
     .reply(
       200,
-      { id: mockInstallationId },
+      { id: mockInstallationId, "app_slug": mockAppSlug },
       { headers: { "content-type": "application/json" } }
     );
-
 });

tests/main-token-get-owner-set-to-org-repo-unset.test.js

@@ -5,8 +5,9 @@ await test((mockPool) => {
   process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
   delete process.env.INPUT_REPOSITORIES;
 
-  // Mock installation id request
+  // Mock installation id and app slug request
   const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
   mockPool
     .intercept({
       path: `/orgs/${process.env.INPUT_OWNER}/installation`,
@@ -19,7 +20,7 @@ await test((mockPool) => {
     })
     .reply(
       200,
-      { id: mockInstallationId },
+      { id: mockInstallationId, "app_slug": mockAppSlug },
       { headers: { "content-type": "application/json" } }
     );
 });

tests/main-token-get-owner-set-to-user-fail-response.test.js

@@ -5,8 +5,9 @@ await test((mockPool) => {
   process.env.INPUT_OWNER = "smockle";
   delete process.env.INPUT_REPOSITORIES;
 
-  // Mock installation id request
+  // Mock installation ID and app slug request
   const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
   mockPool
     .intercept({
       path: `/orgs/${process.env.INPUT_OWNER}/installation`,
@@ -17,8 +18,8 @@ await test((mockPool) => {
         // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
       },
     })
-    .reply(500, 'GitHub API not available')
-    mockPool
+    .reply(500, "GitHub API not available");
+  mockPool
     .intercept({
       path: `/orgs/${process.env.INPUT_OWNER}/installation`,
       method: "GET",
@@ -30,7 +31,7 @@ await test((mockPool) => {
     })
     .reply(
       200,
-      { id: mockInstallationId },
+      { id: mockInstallationId, "app_slug": mockAppSlug },
       { headers: { "content-type": "application/json" } }
     );
 });

tests/main-token-get-owner-set-to-user-repo-unset.test.js

@@ -5,8 +5,9 @@ await test((mockPool) => {
   process.env.INPUT_OWNER = "smockle";
   delete process.env.INPUT_REPOSITORIES;
 
-  // Mock installation id request
+  // Mock installation ID and app slug request
   const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
   mockPool
     .intercept({
       path: `/orgs/${process.env.INPUT_OWNER}/installation`,
@@ -30,7 +31,7 @@ await test((mockPool) => {
     })
     .reply(
       200,
-      { id: mockInstallationId },
+      { id: mockInstallationId, "app_slug": mockAppSlug },
       { headers: { "content-type": "application/json" } }
     );
 });

tests/main-token-get-owner-unset-repo-unset.test.js

@@ -5,8 +5,9 @@ await test((mockPool) => {
   delete process.env.INPUT_OWNER;
   delete process.env.INPUT_REPOSITORIES;
 
-  // Mock installation id request
+  // Mock installation ID and app slug request
   const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
   mockPool
     .intercept({
       path: `/repos/${process.env.GITHUB_REPOSITORY}/installation`,
@@ -19,7 +20,7 @@ await test((mockPool) => {
     })
     .reply(
       200,
-      { id: mockInstallationId },
+      { id: mockInstallationId, "app_slug": mockAppSlug },
       { headers: { "content-type": "application/json" } }
     );
 });

tests/main.js

@@ -2,14 +2,15 @@
 // @ts-check
 import { MockAgent, setGlobalDispatcher } from "undici";
 
-export async function test(cb = (_mockPool) => {}) {
-  // Set required environment variables and inputs
-  process.env.GITHUB_REPOSITORY_OWNER = "actions";
-  process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+export const DEFAULT_ENV = {
+  GITHUB_REPOSITORY_OWNER: "actions",
+  GITHUB_REPOSITORY: "actions/create-github-app-token",
   // inputs are set as environment variables with the prefix INPUT_
-  // https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
-  process.env["INPUT_APP-ID"] = "123456";
-  process.env["INPUT_PRIVATE-KEY"] = `-----BEGIN RSA PRIVATE KEY-----
+  // https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+  "INPUT_GITHUB-API-URL": "https://api.github.com",
+  "INPUT_APP-ID": "123456",
+  // This key is invalidated. It’s from https://github.com/octokit/auth-app.js/issues/465#issuecomment-1564998327.
+  "INPUT_PRIVATE-KEY": `-----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEA280nfuUM9w00Ib9E2rvZJ6Qu3Ua3IqR34ZlK53vn/Iobn2EL
 Z9puc5Q/nFBU15NKwHyQNb+OG2hTCkjd1Xi9XPzEOH1r42YQmTGq8YCkUSkk6KZA
 5dnhLwN9pFquT9fQgrf4r1D5GJj3rqvj8JDr1sBmunArqY5u4gziSrIohcjLIZV0
@@ -35,27 +36,34 @@ r4J2gqb0xTDfq7gLMNrIXc2QQM4gKbnJp60JQM3p9NmH8huavBZGvSvNzTwXyGG3
 so0tiQKBgGQXZaxaXhYUcxYHuCkQ3V4Vsj3ezlM92xXlP32SGFm3KgFhYy9kATxw
 Cax1ytZzvlrKLQyQFVK1COs2rHt7W4cJ7op7C8zXfsigXCiejnS664oAuX8sQZID
 x3WQZRiXlWejSMUAHuMwXrhGlltF3lw83+xAjnqsVp75kGS6OH61
------END RSA PRIVATE KEY-----`; // This key is invalidated. It’s from https://github.com/octokit/auth-app.js/issues/465#issuecomment-1564998327.
+-----END RSA PRIVATE KEY-----`,
+};
+
+export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
+  for (const [key, value] of Object.entries(env)) {
+    process.env[key] = value;
+  }
 
   // Set up mocking
+  const baseUrl = new URL(env["INPUT_GITHUB-API-URL"]);
+  const basePath = baseUrl.pathname === '/' ? '' : baseUrl.pathname;
   const mockAgent = new MockAgent();
   mockAgent.disableNetConnect();
   setGlobalDispatcher(mockAgent);
-  const mockPool = mockAgent.get("https://api.github.com");
+  const mockPool = mockAgent.get(baseUrl.origin);
 
   // Calling `auth({ type: "app" })` to obtain a JWT doesn’t make network requests, so no need to intercept.
 
-  // Mock installation id request
+  // Mock installation ID and app slug request
   const mockInstallationId = "123456";
-  const owner = process.env.INPUT_OWNER ?? process.env.GITHUB_REPOSITORY_OWNER;
+  const mockAppSlug = "github-actions";
+  const owner = env.INPUT_OWNER ?? env.GITHUB_REPOSITORY_OWNER;
   const repo = encodeURIComponent(
-    (process.env.INPUT_REPOSITORIES ?? process.env.GITHUB_REPOSITORY).split(
-      ","
-    )[0]
+    (env.INPUT_REPOSITORIES ?? env.GITHUB_REPOSITORY).split(",")[0]
   );
   mockPool
     .intercept({
-      path: `/repos/${owner}/${repo}/installation`,
+      path: `${basePath}/repos/${owner}/${repo}/installation`,
       method: "GET",
       headers: {
         accept: "application/vnd.github.v3+json",
@@ -65,16 +73,17 @@ x3WQZRiXlWejSMUAHuMwXrhGlltF3lw83+xAjnqsVp75kGS6OH61
     })
     .reply(
       200,
-      { id: mockInstallationId },
+      { id: mockInstallationId, "app_slug": mockAppSlug },
       { headers: { "content-type": "application/json" } }
     );
 
   // Mock installation access token request
   const mockInstallationAccessToken =
     "ghs_16C7e42F292c6912E7710c838347Ae178B4a"; // This token is invalidated. It’s from https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app.
+  const mockExpiresAt = "2016-07-11T22:14:10Z";
   mockPool
     .intercept({
-      path: `/app/installations/${mockInstallationId}/access_tokens`,
+      path: `${basePath}/app/installations/${mockInstallationId}/access_tokens`,
       method: "POST",
       headers: {
         accept: "application/vnd.github.v3+json",
@@ -84,7 +93,7 @@ x3WQZRiXlWejSMUAHuMwXrhGlltF3lw83+xAjnqsVp75kGS6OH61
     })
     .reply(
       201,
-      { token: mockInstallationAccessToken },
+      { token: mockInstallationAccessToken, expires_at: mockExpiresAt },
       { headers: { "content-type": "application/json" } }
     );
 

tests/post-revoke-token-fail-response.test.js

@@ -0,0 +1,34 @@
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+process.env.STATE_token = "secret123";
+
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+
+// 1 hour in the future, not expired
+process.env.STATE_expiresAt = new Date(
+  Date.now() + 1000 * 60 * 60
+).toISOString();
+
+const mockAgent = new MockAgent();
+
+setGlobalDispatcher(mockAgent);
+
+// Provide the base url to the request
+const mockPool = mockAgent.get("https://api.github.com");
+
+// intercept the request
+mockPool
+  .intercept({
+    path: "/installation/token",
+    method: "DELETE",
+    headers: {
+      authorization: "token secret123",
+    },
+  })
+  .reply(401);
+
+await import("../post.js");

tests/post-token-expired.test.js

@@ -0,0 +1,28 @@
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+process.env.STATE_token = "secret123";
+
+// 1 hour in the past, expired
+process.env.STATE_expiresAt = new Date(Date.now() - 1000 * 60 * 60).toISOString();
+
+const mockAgent = new MockAgent();
+
+setGlobalDispatcher(mockAgent);
+
+// Provide the base url to the request
+const mockPool = mockAgent.get("https://api.github.com");
+
+// intercept the request
+mockPool
+  .intercept({
+    path: "/installation/token",
+    method: "DELETE",
+    headers: {
+      authorization: "token secret123",
+    },
+  })
+  .reply(204);
+
+await import("../post.js");

tests/post-token-set.test.js

@@ -4,6 +4,13 @@ import { MockAgent, setGlobalDispatcher } from "undici";
 // https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
 process.env.STATE_token = "secret123";
 
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+
+// 1 hour in the future, not expired
+process.env.STATE_expiresAt = new Date(Date.now() + 1000 * 60 * 60).toISOString();
+
 const mockAgent = new MockAgent();
 
 setGlobalDispatcher(mockAgent);

tests/snapshots/index.js.md

@@ -16,6 +16,25 @@ Generated by [AVA](https://avajs.dev).
     private_key — 'private_key' is deprecated and will be removed in a future version. Use 'private-key' instead.␊
     skip_token_revoke — 'skip_token_revoke' is deprecated and will be removed in a future version. Use 'skip-token-revoke' instead.`
 
+## main-custom-github-api-url.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    `owner and repositories set, creating token for repositories "actions/create-github-app-token" owned by "actions"␊
+    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
+
 ## main-missing-app-id.test.js
 
 > stderr
@@ -69,7 +88,12 @@ Generated by [AVA](https://avajs.dev).
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-token-get-owner-set-repo-set-to-many.test.js
 
@@ -83,7 +107,12 @@ Generated by [AVA](https://avajs.dev).
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-token-get-owner-set-repo-set-to-one.test.js
 
@@ -97,7 +126,12 @@ Generated by [AVA](https://avajs.dev).
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-token-get-owner-set-to-org-repo-unset.test.js
 
@@ -111,7 +145,12 @@ Generated by [AVA](https://avajs.dev).
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-token-get-owner-set-to-user-fail-response.test.js
 
@@ -126,7 +165,12 @@ Generated by [AVA](https://avajs.dev).
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-token-get-owner-set-to-user-repo-unset.test.js
 
@@ -140,7 +184,12 @@ Generated by [AVA](https://avajs.dev).
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-token-get-owner-unset-repo-set.test.js
 
@@ -154,7 +203,12 @@ Generated by [AVA](https://avajs.dev).
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-token-get-owner-unset-repo-unset.test.js
 
@@ -168,7 +222,32 @@ Generated by [AVA](https://avajs.dev).
     ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
     ␊
     ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a`
+    ␊
+    ::set-output name=installation-id::123456␊
+    ␊
+    ::set-output name=app-slug::github-actions␊
+    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
+
+## post-revoke-token-fail-response.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    '::warning::Token revocation failed: '
+
+## post-token-expired.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    'Token expired, skipping token revocation'
 
 ## post-token-set.test.js