Create debug.yml

Addressing this comment
https://github.com/actions/create-github-app-token/issues/42#issuecomment-2214599409

---------

Co-authored-by: Parker Brown <17183625+parkerbxyz@users.noreply.github.com>

.github/workflows/debug.yml

@@ -0,0 +1,11 @@
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup tmate session
+        uses: mxschmitt/action-tmate@v3
+        env:
+          test_app_private_key: ${{ secrets.TEST_APP_PRIVATE_KEY }}

README.md

@@ -12,6 +12,9 @@ In order to use this action, you need to:
 2. [Store the App's ID in your repository environment variables](https://docs.github.com/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_ID`)
 3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets?tool=webui#creating-encrypted-secrets-for-a-repository) (example: `PRIVATE_KEY`)
 
+> [!IMPORTANT]  
+> An installation access token expires after 1 hour. Please [see this comment](https://github.com/actions/create-github-app-token/issues/121#issuecomment-2043214796) for alternative approaches if you have long-running processes.
+
 ### Create a token for the current repository
 
 ```yaml
@@ -61,6 +64,68 @@ jobs:
           github_token: ${{ steps.app-token.outputs.token }}
 ```
 
+### Create a git committer string for an app installation
+
+```yaml
+on: [pull_request]
+
+jobs:
+  auto-format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          # required
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - id: committer
+        run: echo "string=${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"  >> "$GITHUB_OUTPUT"
+      - run: echo "committer string is ${ {steps.committer.outputs.string }}"
+```
+
+### Configure git CLI for an app's bot user
+
+```yaml
+on: [pull_request]
+
+jobs:
+  auto-format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          # required
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>'
+      # git commands like commit work using the bot user
+      - run: |
+          git add .
+          git commit -m "Auto-generated changes"
+          git push
+```
+
+> [!TIP]
+> The `<BOT USER ID>` is the numeric user ID of the app's bot user, which can be found under `https://api.github.com/users/<app-slug>%5Bbot%5D`.
+> 
+> For example, we can check at `https://api.github.com/users/dependabot[bot]` to see the user ID of Dependabot is 49699333.
+>
+> Alternatively, you can use the [octokit/request-action](https://github.com/octokit/request-action) to get the ID.
+
 ### Create a token for all repositories in the current owner's installation
 
 ```yaml
@@ -142,7 +207,7 @@ jobs:
   set-matrix:
     runs-on: ubuntu-latest
     outputs:
-      matrix: ${{steps.set.outputs.matrix }}
+      matrix: ${{ steps.set.outputs.matrix }}
     steps:
       - id: set
         run: echo 'matrix=[{"owner":"owner1"},{"owner":"owner2","repos":["repo1"]}]' >>"$GITHUB_OUTPUT"
@@ -211,7 +276,25 @@ jobs:
 
 ### `private-key`
 
-**Required:** GitHub App private key.
+**Required:** GitHub App private key. Escaped newlines (`\\n`) will be automatically replaced with actual newlines.
+
+Some other actions may require the private key to be Base64 encoded. To avoid recreating a new secret, it can be decoded on the fly, but it needs to be managed securely. Here is an example of how this can be achieved:
+
+```yaml
+steps:
+  - name: Decode the GitHub App Private Key
+    id: decode
+    run: |
+      private_key=$(echo "${{ secrets.PRIVATE_KEY }}" | base64 -d | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2) &> /dev/null
+      echo "::add-mask::$private_key"
+      echo "private-key=$private_key" >> "$GITHUB_OUTPUT"
+  - name: Generate GitHub App Token
+    id: app-token
+    uses: actions/create-github-app-token@v1
+    with:
+      app-id: ${{ vars.APP_ID }}
+      private-key: ${{ steps.decode.outputs.private-key }}
+```
 
 ### `owner`
 

lib/main.js

@@ -104,7 +104,7 @@ export async function main(
   // Make token accessible to post function (so we can invalidate it)
   if (!skipTokenRevoke) {
     core.saveState("token", authentication.token);
-    core.setOutput("expiresAt", authentication.expiresAt);
+    core.saveState("expiresAt", authentication.expiresAt);
   }
 }
 

package.json

@@ -2,10 +2,10 @@
   "name": "create-github-app-token",
   "private": true,
   "type": "module",
-  "version": "1.9.2",
+  "version": "1.10.3",
   "description": "GitHub Action for creating a GitHub App Installation Access Token",
   "scripts": {
-    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0",
+    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0 --packages=bundle",
     "test": "c8 --100 ava tests/index.js",
     "coverage": "c8 report --reporter html",
     "postcoverage": "open-cli coverage/index.html"
@@ -13,20 +13,20 @@
   "license": "MIT",
   "dependencies": {
     "@actions/core": "^1.10.1",
-    "@octokit/auth-app": "^6.0.4",
+    "@octokit/auth-app": "^7.1.0",
     "@octokit/request": "^9.0.1",
     "p-retry": "^6.2.0",
-    "undici": "^6.10.2"
+    "undici": "^6.19.2"
   },
   "devDependencies": {
     "@sinonjs/fake-timers": "^11.2.2",
-    "ava": "^6.1.2",
-    "c8": "^9.1.0",
+    "ava": "^6.1.3",
+    "c8": "^10.1.2",
     "dotenv": "^16.4.5",
-    "esbuild": "^0.20.2",
-    "execa": "^8.0.1",
+    "esbuild": "^0.22.0",
+    "execa": "^9.3.0",
     "open-cli": "^8.0.0",
-    "yaml": "^2.4.1"
+    "yaml": "^2.4.5"
   },
   "release": {
     "branches": [

tests/main-private-key-with-escaped-newlines.js

@@ -0,0 +1,6 @@
+import { test, DEFAULT_ENV } from "./main.js";
+
+// Verify `main` works correctly when `private-key` input has escaped newlines
+await test(() => {
+  process.env['INPUT_PRIVATE-KEY'] = DEFAULT_ENV.PRIVATE_KEY.replace(/\n/g, '\\n')
+});

tests/snapshots/index.js.md

@@ -33,8 +33,7 @@ Generated by [AVA](https://avajs.dev).
     ␊
     ::set-output name=app-slug::github-actions␊
     ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=expiresAt::2016-07-11T22:14:10Z`
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-missing-app-id.test.js
 
@@ -94,8 +93,7 @@ Generated by [AVA](https://avajs.dev).
     ␊
     ::set-output name=app-slug::github-actions␊
     ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=expiresAt::2016-07-11T22:14:10Z`
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-token-get-owner-set-repo-set-to-many.test.js
 
@@ -114,8 +112,7 @@ Generated by [AVA](https://avajs.dev).
     ␊
     ::set-output name=app-slug::github-actions␊
     ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=expiresAt::2016-07-11T22:14:10Z`
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-token-get-owner-set-repo-set-to-one.test.js
 
@@ -134,8 +131,7 @@ Generated by [AVA](https://avajs.dev).
     ␊
     ::set-output name=app-slug::github-actions␊
     ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=expiresAt::2016-07-11T22:14:10Z`
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-token-get-owner-set-to-org-repo-unset.test.js
 
@@ -154,8 +150,7 @@ Generated by [AVA](https://avajs.dev).
     ␊
     ::set-output name=app-slug::github-actions␊
     ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=expiresAt::2016-07-11T22:14:10Z`
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-token-get-owner-set-to-user-fail-response.test.js
 
@@ -175,8 +170,7 @@ Generated by [AVA](https://avajs.dev).
     ␊
     ::set-output name=app-slug::github-actions␊
     ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=expiresAt::2016-07-11T22:14:10Z`
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-token-get-owner-set-to-user-repo-unset.test.js
 
@@ -195,8 +189,7 @@ Generated by [AVA](https://avajs.dev).
     ␊
     ::set-output name=app-slug::github-actions␊
     ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=expiresAt::2016-07-11T22:14:10Z`
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-token-get-owner-unset-repo-set.test.js
 
@@ -215,8 +208,7 @@ Generated by [AVA](https://avajs.dev).
     ␊
     ::set-output name=app-slug::github-actions␊
     ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=expiresAt::2016-07-11T22:14:10Z`
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## main-token-get-owner-unset-repo-unset.test.js
 
@@ -235,8 +227,7 @@ Generated by [AVA](https://avajs.dev).
     ␊
     ::set-output name=app-slug::github-actions␊
     ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=expiresAt::2016-07-11T22:14:10Z`
+    ::save-state name=expiresAt::2016-07-11T22:14:10Z`
 
 ## post-revoke-token-fail-response.test.js