Merge origin/main into enterprise-app-enterprise-slug

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

.github/workflows/publish-immutable-action.yml

@@ -1,17 +0,0 @@
-name: 'Publish Immutable Action'
-
-on:
-  release:
-    types: [published]
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-    steps:
-      - uses: actions/checkout@v6
-      - name: Publish Immutable Action
-        uses: actions/publish-immutable-action@v0.0.4

.github/workflows/release.yml

@@ -26,7 +26,6 @@ jobs:
         with:
           node-version-file: package.json
 
-
       - run: npm ci
       - run: npm run build
       - uses: ./

.github/workflows/test.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - beta
   pull_request:
   merge_group:
   workflow_dispatch:
@@ -33,7 +34,7 @@ jobs:
     name: end-to-end
     runs-on: ubuntu-latest
     # do not run from forks, as forks don’t have access to repository secrets
-    if: github.event_name == 'merge_group' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-node@v6
@@ -53,3 +54,28 @@ jobs:
         with:
           route: GET /installation/repositories
       - run: echo '${{ steps.get-repository.outputs.data }}'
+
+  end-to-end-proxy:
+    name: end-to-end with unreachable proxy
+    runs-on: ubuntu-latest
+    # do not run from forks, as forks don’t have access to repository secrets
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version-file: package.json
+          cache: 'npm'
+      - run: npm ci
+      - run: npm run build
+      - uses: ./ # Uses the action in the root directory
+        continue-on-error: true
+        id: test
+        env:
+          NODE_USE_ENV_PROXY: "1"
+          https_proxy: http://127.0.0.1:9
+        with:
+          app-id: ${{ vars.TEST_APP_ID }}
+          private-key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
+      - name: Assert action failed through unreachable proxy
+        run: test "${{ steps.test.outcome }}" = "failure"

.gitignore

@@ -1,3 +1,4 @@
 .env
 coverage
 node_modules/
+.DS_Store

README.md

@@ -9,10 +9,10 @@ GitHub Action for creating a GitHub App installation access token.
 In order to use this action, you need to:
 
 1. [Register new GitHub App](https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app).
-2. [Store the App's ID or Client ID in your repository environment variables](https://docs.github.com/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_ID`).
-3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets?tool=webui#creating-encrypted-secrets-for-a-repository) (example: `PRIVATE_KEY`).
+2. [Store the App's Client ID in your repository variables](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_CLIENT_ID`).
+3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets?tool=webui#creating-secrets-for-a-repository) (example: `APP_PRIVATE_KEY`).
 
-> [!IMPORTANT]  
+> [!IMPORTANT]
 > An installation access token expires after 1 hour. Please [see this comment](https://github.com/actions/create-github-app-token/issues/121#issuecomment-2043214796) for alternative approaches if you have long-running processes.
 
 ### Create a token for the current repository
@@ -28,11 +28,11 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
-          app-id: ${{ vars.APP_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - uses: ./actions/staging-tests
         with:
           token: ${{ steps.app-token.outputs.token }}
@@ -47,19 +47,19 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           # required
-          app-id: ${{ vars.APP_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
-      - uses: actions/checkout@v4
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v6
         with:
           token: ${{ steps.app-token.outputs.token }}
           ref: ${{ github.head_ref }}
           # Make sure the value of GITHUB_TOKEN will not be persisted in repo's config
           persist-credentials: false
-      - uses: creyD/prettier_action@v4.3
+      - uses: creyD/prettier_action@v6
         with:
           github_token: ${{ steps.app-token.outputs.token }}
 ```
@@ -73,12 +73,12 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           # required
-          app-id: ${{ vars.APP_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: Get GitHub App User ID
         id: get-user-id
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
@@ -98,12 +98,12 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           # required
-          app-id: ${{ vars.APP_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: Get GitHub App User ID
         id: get-user-id
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
@@ -135,13 +135,13 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
-          app-id: ${{ vars.APP_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
-      - uses: peter-evans/create-or-update-comment@v3
+      - uses: peter-evans/create-or-update-comment@v4
         with:
           token: ${{ steps.app-token.outputs.token }}
           issue-number: ${{ github.event.issue.number }}
@@ -157,16 +157,16 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
-          app-id: ${{ vars.APP_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           repositories: |
             repo1
             repo2
-      - uses: peter-evans/create-or-update-comment@v3
+      - uses: peter-evans/create-or-update-comment@v4
         with:
           token: ${{ steps.app-token.outputs.token }}
           issue-number: ${{ github.event.issue.number }}
@@ -182,19 +182,41 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
-          app-id: ${{ vars.APP_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: another-owner
-      - uses: peter-evans/create-or-update-comment@v3
+      - uses: peter-evans/create-or-update-comment@v4
         with:
           token: ${{ steps.app-token.outputs.token }}
           issue-number: ${{ github.event.issue.number }}
           body: "Hello, World!"
 ```
 
+### Create a token for an enterprise installation
+
+```yaml
+on: [workflow_dispatch]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+          enterprise: my-enterprise-slug
+      - name: Call enterprise management REST API with gh
+        run: |
+          gh api /enterprises/my-enterprise-slug/apps/installable_organizations
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+```
+
 ### Create a token with specific permissions
 
 > [!NOTE]
@@ -207,14 +229,14 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
-          app-id: ${{ vars.APP_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           permission-issues: write
-      - uses: peter-evans/create-or-update-comment@v3
+      - uses: peter-evans/create-or-update-comment@v4
         with:
           token: ${{ steps.app-token.outputs.token }}
           issue-number: ${{ github.event.issue.number }}
@@ -249,11 +271,11 @@ jobs:
         owners-and-repos: ${{ fromJson(needs.set-matrix.outputs.matrix) }}
 
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
-          app-id: ${{ vars.APP_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: ${{ matrix.owners-and-repos.owner }}
           repositories: ${{ join(matrix.owners-and-repos.repos) }}
       - uses: octokit/request-action@v2.x
@@ -279,9 +301,9 @@ jobs:
     steps:
       - name: Create GitHub App token
         id: create_token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@v3
         with:
-          app-id: ${{ vars.GHES_APP_ID }}
+          client-id: ${{ vars.GHES_APP_CLIENT_ID }}
           private-key: ${{ secrets.GHES_APP_PRIVATE_KEY }}
           owner: ${{ vars.GHES_INSTALLATION_ORG }}
           github-api-url: ${{ vars.GITHUB_API_URL }}
@@ -296,11 +318,32 @@ jobs:
           GITHUB_TOKEN: ${{ steps.create_token.outputs.token }}
 ```
 
+### Proxy support
+
+This action relies on Node.js native proxy support.
+
+If you set `HTTP_PROXY` or `HTTPS_PROXY`, also set `NODE_USE_ENV_PROXY: "1"` on the action step so Node.js honors those variables. If you need proxy bypass rules, set `NO_PROXY` alongside them.
+
+```yaml
+- uses: actions/create-github-app-token@v3
+  id: app-token
+  env:
+    HTTPS_PROXY: http://proxy.example.com:8080
+    NO_PROXY: github.example.com
+    NODE_USE_ENV_PROXY: "1"
+  with:
+    client-id: ${{ vars.APP_CLIENT_ID }}
+    private-key: ${{ secrets.APP_PRIVATE_KEY }}
+```
+
 ## Inputs
 
-### `app-id`
+### `client-id` or `app-id`
 
-**Required:** GitHub App ID.
+**Required:** GitHub App Client ID.
+
+> [!NOTE]
+> The legacy `app-id` input is also accepted, but `client-id` is recommended.
 
 ### `private-key`
 
@@ -313,14 +356,14 @@ steps:
   - name: Decode the GitHub App Private Key
     id: decode
     run: |
-      private_key=$(echo "${{ secrets.PRIVATE_KEY }}" | base64 -d | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2) &> /dev/null
+      private_key=$(echo "${{ secrets.APP_PRIVATE_KEY }}" | base64 -d | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2) &> /dev/null
       echo "::add-mask::$private_key"
       echo "private-key=$private_key" >> "$GITHUB_OUTPUT"
   - name: Generate GitHub App Token
     id: app-token
-    uses: actions/create-github-app-token@v2
+    uses: actions/create-github-app-token@v3
     with:
-      app-id: ${{ vars.APP_ID }}
+      client-id: ${{ vars.APP_CLIENT_ID }}
       private-key: ${{ steps.decode.outputs.private-key }}
 ```
 
@@ -335,6 +378,13 @@ steps:
 > [!NOTE]
 > If `owner` is set and `repositories` is empty, access will be scoped to all repositories in the provided repository owner's installation. If `owner` and `repositories` are empty, access will be scoped to only the current repository.
 
+### `enterprise`
+
+**Optional:** The slug version of the enterprise name to generate a token for enterprise-level app installations.
+
+> [!NOTE]
+> The `enterprise` input is mutually exclusive with `owner` and `repositories`. GitHub Apps can be installed on enterprise accounts with permissions that let them call enterprise management APIs. Enterprise installations do not grant access to organization or repository resources.
+
 ### `permission-<permission name>`
 
 **Optional:** The permissions to grant to the token. By default, the token inherits all of the installation's permissions. We recommend to explicitly list the permissions that are required for a use case. This follows GitHub's own recommendation to [control permissions of `GITHUB_TOKEN` in workflows](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token). The documentation also lists all available permissions, just prefix the permission key with `permission-` (e.g., `pull-requests` → `permission-pull-requests`).

action.yml

@@ -5,9 +5,13 @@ branding:
   icon: "lock"
   color: "gray-dark"
 inputs:
+  client-id:
+    description: "GitHub App Client ID"
+    required: false
   app-id:
     description: "GitHub App ID"
-    required: true
+    required: false
+    deprecationMessage: "Use 'client-id' instead."
   private-key:
     description: "GitHub App private key"
     required: true
@@ -17,6 +21,9 @@ inputs:
   repositories:
     description: "Comma or newline-separated list of repositories to install the GitHub App on (defaults to current repository if owner is unset)"
     required: false
+  enterprise:
+    description: "The slug version of the enterprise name for enterprise-level app installations (cannot be used with 'owner' or 'repositories')"
+    required: false
   skip-token-revoke:
     description: "If true, the token will not be revoked when the current job is complete"
     required: false
@@ -31,6 +38,10 @@ inputs:
     description: "The level of permission to grant the access token for GitHub Actions workflows, workflow runs, and artifacts. Can be set to 'read' or 'write'."
   permission-administration:
     description: "The level of permission to grant the access token for repository creation, deletion, settings, teams, and collaborators creation. Can be set to 'read' or 'write'."
+  permission-artifact-metadata:
+    description: "The level of permission to grant the access token to create and retrieve build artifact metadata records. Can be set to 'read' or 'write'."
+  permission-attestations:
+    description: "The level of permission to create and retrieve the access token for repository attestations. Can be set to 'read' or 'write'."
   permission-checks:
     description: "The level of permission to grant the access token for checks on code. Can be set to 'read' or 'write'."
   permission-codespaces:
@@ -43,6 +54,8 @@ inputs:
     description: "The level of permission to grant the access token to manage Dependabot secrets. Can be set to 'read' or 'write'."
   permission-deployments:
     description: "The level of permission to grant the access token for deployments and deployment statuses. Can be set to 'read' or 'write'."
+  permission-discussions:
+    description: "The level of permission to grant the access token for discussions and related comments and labels. Can be set to 'read' or 'write'."
   permission-email-addresses:
     description: "The level of permission to grant the access token to manage the email addresses belonging to a user. Can be set to 'read' or 'write'."
   permission-enterprise-custom-properties-for-organizations:
@@ -61,6 +74,8 @@ inputs:
     description: "The level of permission to grant the access token for issues and related comments, assignees, labels, and milestones. Can be set to 'read' or 'write'."
   permission-members:
     description: "The level of permission to grant the access token for organization teams and members. Can be set to 'read' or 'write'."
+  permission-merge-queues:
+    description: "The level of permission to grant the access token to manage the merge queues for a repository. Can be set to 'read' or 'write'."
   permission-metadata:
     description: "The level of permission to grant the access token to search repositories, list collaborators, and access repository metadata. Can be set to 'read' or 'write'."
   permission-organization-administration:
@@ -136,6 +151,6 @@ outputs:
   app-slug:
     description: "GitHub App slug"
 runs:
-  using: "node20"
+  using: "node24"
   main: "dist/main.cjs"
   post: "dist/post.cjs"

lib/main.js

@@ -2,8 +2,9 @@ import pRetry from "p-retry";
 // @ts-check
 
 /**
- * @param {string} appId
+ * @param {string} clientId
  * @param {string} privateKey
+ * @param {string} enterprise
  * @param {string} owner
  * @param {string[]} repositories
  * @param {undefined | Record<string, string>} permissions
@@ -13,86 +14,60 @@ import pRetry from "p-retry";
  * @param {boolean} skipTokenRevoke
  */
 export async function main(
-  appId,
+  clientId,
   privateKey,
+  enterprise,
   owner,
   repositories,
   permissions,
   core,
   createAppAuth,
   request,
-  skipTokenRevoke
+  skipTokenRevoke,
 ) {
-  let parsedOwner = "";
-  let parsedRepositoryNames = [];
-
-  // If neither owner nor repositories are set, default to current repository
-  if (!owner && repositories.length === 0) {
-    const [owner, repo] = String(process.env.GITHUB_REPOSITORY).split("/");
-    parsedOwner = owner;
-    parsedRepositoryNames = [repo];
-
-    core.info(
-      `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (${owner}/${repo}).`
-    );
+  // Validate mutual exclusivity of enterprise with owner/repositories
+  if (enterprise && (owner || repositories.length > 0)) {
+    throw new Error("Cannot use 'enterprise' input with 'owner' or 'repositories' inputs");
   }
 
-  // If only an owner is set, default to all repositories from that owner
-  if (owner && repositories.length === 0) {
-    parsedOwner = owner;
-
-    core.info(
-      `Input 'repositories' is not set. Creating token for all repositories owned by ${owner}.`
-    );
-  }
-
-  // If repositories are set, but no owner, default to `GITHUB_REPOSITORY_OWNER`
-  if (!owner && repositories.length > 0) {
-    parsedOwner = String(process.env.GITHUB_REPOSITORY_OWNER);
-    parsedRepositoryNames = repositories;
-
-    core.info(
-      `No 'owner' input provided. Using default owner '${parsedOwner}' to create token for the following repositories:${repositories
-        .map((repo) => `\n- ${parsedOwner}/${repo}`)
-        .join("")}`
-    );
-  }
-
-  // If both owner and repositories are set, use those values
-  if (owner && repositories.length > 0) {
-    parsedOwner = owner;
-    parsedRepositoryNames = repositories;
-
-    core.info(
-      `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
-      ${repositories.map((repo) => `\n- ${parsedOwner}/${repo}`).join("")}`
-    );
-  }
+  const target = resolveInstallationTarget(enterprise, owner, repositories, core);
 
   const auth = createAppAuth({
-    appId,
+    appId: clientId,
     privateKey,
     request,
   });
 
   let authentication, installationId, appSlug;
-  // If at least one repository is set, get installation ID from that repository
 
-  if (parsedRepositoryNames.length > 0) {
+  if (target.type === "enterprise") {
+    ({ authentication, installationId, appSlug } = await pRetry(
+      () => getTokenFromEnterprise(request, auth, target.enterprise, permissions),
+      {
+        shouldRetry: ({ error }) => error.status >= 500,
+        onFailedAttempt: (context) => {
+          core.info(
+            `Failed to create token for enterprise "${target.enterprise}" (attempt ${context.attemptNumber}): ${context.error.message}`
+          );
+        },
+        retries: 3,
+      }
+    ));
+  } else if (target.type === "repository") {
     ({ authentication, installationId, appSlug } = await pRetry(
       () =>
         getTokenFromRepository(
           request,
           auth,
-          parsedOwner,
-          parsedRepositoryNames,
+          target.owner,
+          target.repositories,
           permissions
         ),
       {
         shouldRetry: ({ error }) => error.status >= 500,
         onFailedAttempt: (context) => {
           core.info(
-            `Failed to create token for "${parsedRepositoryNames.join(
+            `Failed to create token for "${target.repositories.join(
               ","
             )}" (attempt ${context.attemptNumber}): ${context.error.message}`
           );
@@ -103,11 +78,11 @@ export async function main(
   } else {
     // Otherwise get the installation for the owner, which can either be an organization or a user account
     ({ authentication, installationId, appSlug } = await pRetry(
-      () => getTokenFromOwner(request, auth, parsedOwner, permissions),
+      () => getTokenFromOwner(request, auth, target.owner, permissions),
       {
         onFailedAttempt: (context) => {
           core.info(
-            `Failed to create token for "${parsedOwner}" (attempt ${context.attemptNumber}): ${context.error.message}`
+            `Failed to create token for "${target.owner}" (attempt ${context.attemptNumber}): ${context.error.message}`
           );
         },
         retries: 3,
@@ -129,6 +104,76 @@ export async function main(
   }
 }
 
+function resolveInstallationTarget(enterprise, owner, repositories, core) {
+  if (enterprise) {
+    core.info(`Creating enterprise installation token for enterprise "${enterprise}".`);
+    return { type: "enterprise", enterprise };
+  }
+
+  if (!owner && repositories.length === 0) {
+    const [defaultOwner, repo] = String(process.env.GITHUB_REPOSITORY).split("/");
+
+    core.info(
+      `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (${defaultOwner}/${repo}).`
+    );
+
+    return {
+      type: "repository",
+      owner: defaultOwner,
+      repositories: [repo],
+    };
+  }
+
+  if (owner && repositories.length === 0) {
+    core.info(
+      `Input 'repositories' is not set. Creating token for all repositories owned by ${owner}.`
+    );
+
+    return { type: "owner", owner };
+  }
+
+  const parsedOwner = owner || String(process.env.GITHUB_REPOSITORY_OWNER);
+
+  if (!owner) {
+    core.info(
+      `No 'owner' input provided. Using default owner '${parsedOwner}' to create token for the following repositories:${repositories
+        .map((repo) => `\n- ${parsedOwner}/${repo}`)
+        .join("")}`
+    );
+  } else {
+    core.info(
+      `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      ${repositories.map((repo) => `\n- ${parsedOwner}/${repo}`).join("")}`
+    );
+  }
+
+  return {
+    type: "repository",
+    owner: parsedOwner,
+    repositories,
+  };
+}
+
+async function createInstallationAuthResult(
+  auth,
+  installation,
+  permissions,
+  options = {},
+) {
+  const authentication = await auth({
+    type: "installation",
+    installationId: installation.id,
+    permissions,
+    ...options,
+  });
+
+  return {
+    authentication,
+    installationId: installation.id,
+    appSlug: installation["app_slug"],
+  };
+}
+
 async function getTokenFromOwner(request, auth, parsedOwner, permissions) {
   // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app
   // This endpoint works for both users and organizations
@@ -139,17 +184,8 @@ async function getTokenFromOwner(request, auth, parsedOwner, permissions) {
     },
   });
 
-  // Get token for for all repositories of the given installation
-  const authentication = await auth({
-    type: "installation",
-    installationId: response.data.id,
-    permissions,
-  });
-
-  const installationId = response.data.id;
-  const appSlug = response.data["app_slug"];
-
-  return { authentication, installationId, appSlug };
+  // Get token for all repositories of the given installation
+  return createInstallationAuthResult(auth, response.data, permissions);
 }
 
 async function getTokenFromRepository(
@@ -169,15 +205,30 @@ async function getTokenFromRepository(
   });
 
   // Get token for given repositories
-  const authentication = await auth({
-    type: "installation",
-    installationId: response.data.id,
+  return createInstallationAuthResult(auth, response.data, permissions, {
     repositoryNames: parsedRepositoryNames,
-    permissions,
   });
-
-  const installationId = response.data.id;
-  const appSlug = response.data["app_slug"];
-
-  return { authentication, installationId, appSlug };
+}
+
+async function getTokenFromEnterprise(request, auth, enterprise, permissions) {
+  let response;
+  try {
+    response = await request("GET /enterprises/{enterprise}/installation", {
+      enterprise,
+      request: {
+        hook: auth.hook,
+      },
+    });
+  } catch (error) {
+    if (error.status === 404) {
+      throw new Error(
+        `No enterprise installation found matching the name ${enterprise}.`
+      );
+    }
+
+    throw error;
+  }
+
+  // Get token for the enterprise installation
+  return createInstallationAuthResult(auth, response.data, permissions);
 }

lib/request.js

@@ -1,41 +1,36 @@
 import * as core from "@actions/core";
 import { request } from "@octokit/request";
-import { ProxyAgent, fetch as undiciFetch } from "undici";
 
+// Get the GitHub API URL from the action input and remove any trailing slash
 const baseUrl = core.getInput("github-api-url").replace(/\/$/, "");
 
-// https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners
-const proxyUrl =
-  process.env.https_proxy ||
-  process.env.HTTPS_PROXY ||
-  process.env.http_proxy ||
-  process.env.HTTP_PROXY;
+const proxyEnvironmentKeys = [
+  "https_proxy",
+  "HTTPS_PROXY",
+  "http_proxy",
+  "HTTP_PROXY",
+];
 
-/* c8 ignore start */
-// Native support for proxies in Undici is under consideration: https://github.com/nodejs/undici/issues/1650
-// Until then, we need to use a custom fetch function to add proxy support.
-const proxyFetch = (url, options) => {
-  const urlHost = new URL(url).hostname;
-  const noProxy = (process.env.no_proxy || process.env.NO_PROXY || "").split(
-    ",",
-  );
+function proxyEnvironmentConfigured() {
+  return proxyEnvironmentKeys.some((key) => process.env[key]);
+}
 
-  if (!noProxy.includes(urlHost)) {
-    options = {
-      ...options,
-      dispatcher: new ProxyAgent(String(proxyUrl)),
-    };
+function nativeProxySupportEnabled() {
+  return process.env.NODE_USE_ENV_PROXY === "1";
+}
+
+export function ensureNativeProxySupport() {
+  if (!proxyEnvironmentConfigured() || nativeProxySupportEnabled()) {
+    return;
   }
 
-  return undiciFetch(url, options);
-};
-/* c8 ignore stop */
+  throw new Error(
+    "A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.",
+  );
+}
 
+// Configure the default settings for GitHub API requests
 export default request.defaults({
-  headers: {
-    "user-agent": "actions/create-github-app-token",
-  },
+  headers: { "user-agent": "actions/create-github-app-token" },
   baseUrl,
-  /* c8 ignore next */
-  request: proxyUrl ? { fetch: proxyFetch } : {},
 });

main.js

@@ -5,7 +5,7 @@ import { createAppAuth } from "@octokit/auth-app";
 
 import { getPermissionsFromInputs } from "./lib/get-permissions-from-inputs.js";
 import { main } from "./lib/main.js";
-import request from "./lib/request.js";
+import request, { ensureNativeProxySupport } from "./lib/request.js";
 
 if (!process.env.GITHUB_REPOSITORY) {
   throw new Error("GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'");
@@ -15,31 +15,42 @@ if (!process.env.GITHUB_REPOSITORY_OWNER) {
   throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
 }
 
-const appId = core.getInput("app-id");
-const privateKey = core.getInput("private-key");
-const owner = core.getInput("owner");
-const repositories = core
-  .getInput("repositories")
-  .split(/[\n,]+/)
-  .map((s) => s.trim())
-  .filter((x) => x !== "");
+async function run() {
+  ensureNativeProxySupport();
 
-const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
+  const clientId = core.getInput("client-id") || core.getInput("app-id");
+  if (!clientId) {
+    throw new Error("The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.");
+  }
+  const privateKey = core.getInput("private-key");
+  const enterprise = core.getInput("enterprise");
+  const owner = core.getInput("owner");
+  const repositories = core
+    .getInput("repositories")
+    .split(/[\n,]+/)
+    .map((s) => s.trim())
+    .filter((x) => x !== "");
 
-const permissions = getPermissionsFromInputs(process.env);
+  const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
+
+  const permissions = getPermissionsFromInputs(process.env);
+
+  return main(
+    clientId,
+    privateKey,
+    enterprise,
+    owner,
+    repositories,
+    permissions,
+    core,
+    createAppAuth,
+    request,
+    skipTokenRevoke,
+  );
+}
 
 // Export promise for testing
-export default main(
-  appId,
-  privateKey,
-  owner,
-  repositories,
-  permissions,
-  core,
-  createAppAuth,
-  request,
-  skipTokenRevoke,
-).catch((error) => {
+export default run().catch((error) => {
   /* c8 ignore next 3 */
   console.error(error);
   core.setFailed(error.message);

package.json

@@ -2,15 +2,15 @@
   "name": "create-github-app-token",
   "private": true,
   "type": "module",
-  "version": "2.2.2",
+  "version": "3.1.1",
   "description": "GitHub Action for creating a GitHub App Installation Access Token",
   "engines": {
-    "node": ">=20"
+    "node": ">=24.4.0"
   },
   "packageManager": "npm@10.9.4",
   "scripts": {
-    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0 --packages=bundle",
-    "test": "c8 --100 ava tests/index.js",
+    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --packages=bundle",
+    "test": "c8 --100 node --test tests/index.js",
     "coverage": "c8 report --reporter html",
     "postcoverage": "open-cli coverage/index.html"
   },
@@ -19,19 +19,15 @@
     "@actions/core": "^3.0.0",
     "@octokit/auth-app": "^8.2.0",
     "@octokit/request": "^10.0.8",
-    "p-retry": "^7.1.1",
-    "undici": "^7.24.1"
+    "p-retry": "^8.0.0"
   },
   "devDependencies": {
-    "@octokit/openapi": "^21.0.0",
-    "@sinonjs/fake-timers": "^15.1.0",
-    "ava": "^6.4.1",
-    "c8": "^10.1.3",
-    "dotenv": "^17.3.1",
-    "esbuild": "^0.27.3",
-    "execa": "^9.6.1",
-    "open-cli": "^8.0.0",
-    "yaml": "^2.8.2"
+    "@octokit/openapi": "^22.0.0",
+    "c8": "^11.0.0",
+    "esbuild": "^0.27.4",
+    "open-cli": "^9.0.0",
+    "undici": "^7.24.6",
+    "yaml": "^2.8.3"
   },
   "release": {
     "branches": [

post.js

@@ -3,9 +3,15 @@
 import * as core from "@actions/core";
 
 import { post } from "./lib/post.js";
-import request from "./lib/request.js";
+import request, { ensureNativeProxySupport } from "./lib/request.js";
 
-post(core, request).catch((error) => {
+async function run() {
+  ensureNativeProxySupport();
+
+  return post(core, request);
+}
+
+run().catch((error) => {
   /* c8 ignore next 3 */
   console.error(error);
   core.setFailed(error.message);

scripts/generated/app-permissions.json

@@ -19,6 +19,22 @@
         "write"
       ]
     },
+    "artifact_metadata": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to create and retrieve build artifact metadata records.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "attestations": {
+      "type": "string",
+      "description": "The level of permission to create and retrieve the access token for repository attestations.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
     "checks": {
       "type": "string",
       "description": "The level of permission to grant the access token for checks on code.",
@@ -59,6 +75,14 @@
         "write"
       ]
     },
+    "discussions": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for discussions and related comments and labels.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
     "environments": {
       "type": "string",
       "description": "The level of permission to grant the access token for managing repository environments.",
@@ -75,6 +99,14 @@
         "write"
       ]
     },
+    "merge_queues": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage the merge queues for a repository.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
     "metadata": {
       "type": "string",
       "description": "The level of permission to grant the access token to search repositories, list collaborators, and access repository metadata.",

tests/README.md

@@ -2,14 +2,14 @@
 
 Add one test file per scenario. You can run them in isolation with:
 
-```bash
+```
 node tests/post-token-set.test.js
 ```
 
-All tests are run together in [tests/index.js](index.js), which can be executed with ava
+All tests are run together in [tests/index.js](index.js), which can be executed with Node's built-in test runner
 
 ```
-npx ava tests/index.js
+node --test tests/index.js
 ```
 
 or with npm
@@ -20,11 +20,17 @@ npm test
 
 ## How the tests work
 
-The output from the tests is captured into a snapshot ([tests/snapshots/index.js.md](snapshots/index.js.md)). It includes all requests sent by our scripts to verify it's working correctly and to prevent regressions.
+The output from the tests is captured into a snapshot ([tests/index.js.snapshot](index.js.snapshot)). It includes all requests sent by our scripts to verify it's working correctly and to prevent regressions.
+
+To update snapshots after an intentional change:
+
+```
+node --test --test-update-snapshots tests/index.js
+```
 
 ## How to add a new test
 
 We have tests both for the `main.js` and `post.js` scripts.
 
-- If you do not expect an error, take [main-token-permissions-set.test.js](tests/main-token-permissions-set.test.js) as a starting point.
-- If your test has an expected error, take [main-missing-app-id.test.js](tests/main-missing-app-id.test.js) as a starting point.
+- If you do not expect an error, take [main-token-permissions-set.test.js](main-token-permissions-set.test.js) as a starting point.
+- If your test has an expected error, take [main-missing-client-and-app-id.test.js](main-missing-client-and-app-id.test.js) as a starting point.

tests/index.js

@@ -1,15 +1,30 @@
 import { readdirSync } from "node:fs";
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
 
-import test from "ava";
-import { execa } from "execa";
+import { snapshot, test } from "node:test";
+
+const execFileAsync = promisify(execFile);
+
+// Serialize strings as-is so multiline output is human-readable in snapshots
+snapshot.setDefaultSnapshotSerializers([
+  (value) => (typeof value === "string" ? value : undefined),
+]);
+
+function normalizeStderr(stderr) {
+  return stderr
+    .replaceAll(/\u001B\[[0-9;]*m/g, "")
+    .replaceAll(process.cwd(), "<cwd>")
+    .replaceAll(/:\d+:\d+/g, ":<line>:<column>");
+}
 
 // Get all files in tests directory
 const files = readdirSync("tests");
 
 // Files to ignore
-const ignore = ["index.js", "main.js", "README.md", "snapshots"];
+const ignore = ["index.js", "index.js.snapshot", "main.js", "README.md"];
 
-const testFiles = files.filter((file) => !ignore.includes(file));
+const testFiles = files.filter((file) => !ignore.includes(file)).sort();
 
 // Throw an error if there is a file that does not end with test.js in the tests directory
 for (const file of testFiles) {
@@ -18,12 +33,40 @@ for (const file of testFiles) {
   }
   test(file, async (t) => {
     // Override Actions environment variables that change `core`’s behavior
-    const env = {
-      GITHUB_OUTPUT: undefined,
-      GITHUB_STATE: undefined,
-    };
-    const { stderr, stdout } = await execa("node", [`tests/${file}`], { env });
-    t.snapshot(stderr, "stderr");
-    t.snapshot(stdout, "stdout");
+    const {
+      GITHUB_OUTPUT,
+      GITHUB_STATE,
+      HTTP_PROXY,
+      HTTPS_PROXY,
+      http_proxy,
+      https_proxy,
+      NO_PROXY,
+      no_proxy,
+      NODE_OPTIONS,
+      NODE_USE_ENV_PROXY,
+      ...env
+    } = process.env;
+    let stderr, stdout;
+    try {
+      ({ stderr, stdout } = await execFileAsync("node", [`tests/${file}`], {
+        env,
+      }));
+    } catch (error) {
+      if (!(error instanceof Error) || !("stderr" in error) || !("stdout" in error)) {
+        throw error;
+      }
+
+      ({ stderr, stdout } = error);
+    }
+    const trimmedStderr = normalizeStderr(stderr).replace(/\r?\n$/, "");
+    const trimmedStdout = stdout.replace(/\r?\n$/, "");
+    await t.test("stderr", (t) => {
+      if (trimmedStderr) t.assert.snapshot(trimmedStderr);
+      else t.assert.strictEqual(trimmedStderr, "");
+    });
+    await t.test("stdout", (t) => {
+      if (trimmedStdout) t.assert.snapshot(trimmedStdout);
+      else t.assert.strictEqual(trimmedStdout, "");
+    });
   });
 }

tests/index.js.snapshot

@@ -0,0 +1,419 @@
+exports[`action-deprecated-inputs.test.js > stdout 1`] = `
+app-id — Use 'client-id' instead.
+`;
+
+exports[`main-app-id-fallback.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-client-id-precedence.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-custom-github-api-url.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/create-github-app-token
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /api/v3/repos/actions/create-github-app-token/installation
+POST /api/v3/app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-enterprise-fail-response.test.js > stdout 1`] = `
+Creating enterprise installation token for enterprise "test-enterprise".
+Failed to create token for enterprise "test-enterprise" (attempt 1): GitHub API not available
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /enterprises/test-enterprise/installation
+GET /enterprises/test-enterprise/installation
+POST /app/installations/123456/access_tokens
+null
+`;
+
+exports[`main-enterprise-installation-not-found.test.js > stderr 1`] = `
+Error: No enterprise installation found matching the name test-enterprise.
+    at getTokenFromEnterprise (file://<cwd>/lib/main.js:<line>:<column>)
+    at process.processTicksAndRejections (node:internal/process/task_queues:<line>:<column>)
+    at async pRetry (file://<cwd>/node_modules/p-retry/index.js:<line>:<column>)
+    at async main (file://<cwd>/lib/main.js:<line>:<column>)
+    at async test (file://<cwd>/tests/main.js:<line>:<column>)
+    at async file://<cwd>/tests/main-enterprise-installation-not-found.test.js:<line>:<column>
+`;
+
+exports[`main-enterprise-installation-not-found.test.js > stdout 1`] = `
+Creating enterprise installation token for enterprise "test-enterprise".
+Failed to create token for enterprise "test-enterprise" (attempt 1): No enterprise installation found matching the name test-enterprise.
+::error::No enterprise installation found matching the name test-enterprise.
+--- REQUESTS ---
+GET /enterprises/test-enterprise/installation
+`;
+
+exports[`main-enterprise-mutual-exclusivity-owner.test.js > stderr 1`] = `
+Error: Cannot use 'enterprise' input with 'owner' or 'repositories' inputs
+    at main (file://<cwd>/lib/main.js:<line>:<column>)
+    at run (file://<cwd>/main.js:<line>:<column>)
+    at file://<cwd>/main.js:<line>:<column>
+    at ModuleJob.run (node:internal/modules/esm/module_job:<line>:<column>)
+    at async onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:<line>:<column>)
+    at async file://<cwd>/tests/main-enterprise-mutual-exclusivity-owner.test.js:<line>:<column>
+`;
+
+exports[`main-enterprise-mutual-exclusivity-owner.test.js > stdout 1`] = `
+::error::Cannot use 'enterprise' input with 'owner' or 'repositories' inputs
+`;
+
+exports[`main-enterprise-mutual-exclusivity-repositories.test.js > stderr 1`] = `
+Error: Cannot use 'enterprise' input with 'owner' or 'repositories' inputs
+    at main (file://<cwd>/lib/main.js:<line>:<column>)
+    at run (file://<cwd>/main.js:<line>:<column>)
+    at file://<cwd>/main.js:<line>:<column>
+    at ModuleJob.run (node:internal/modules/esm/module_job:<line>:<column>)
+    at async onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:<line>:<column>)
+    at async file://<cwd>/tests/main-enterprise-mutual-exclusivity-repositories.test.js:<line>:<column>
+`;
+
+exports[`main-enterprise-mutual-exclusivity-repositories.test.js > stdout 1`] = `
+::error::Cannot use 'enterprise' input with 'owner' or 'repositories' inputs
+`;
+
+exports[`main-enterprise-only-success.test.js > stdout 1`] = `
+Creating enterprise installation token for enterprise "test-enterprise".
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /enterprises/test-enterprise/installation
+POST /app/installations/123456/access_tokens
+null
+`;
+
+exports[`main-enterprise-token-with-permissions.test.js > stdout 1`] = `
+Creating enterprise installation token for enterprise "test-enterprise".
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /enterprises/test-enterprise/installation
+POST /app/installations/123456/access_tokens
+{"permissions":{"enterprise_organizations":"read","enterprise_people":"write"}}
+`;
+
+exports[`main-missing-client-and-app-id.test.js > stderr 1`] = `
+The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.
+`;
+
+exports[`main-missing-client-and-app-id.test.js > stdout 1`] = `
+::error::The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.
+`;
+
+exports[`main-missing-owner.test.js > stderr 1`] = `
+GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'
+`;
+
+exports[`main-missing-repository.test.js > stderr 1`] = `
+GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'
+`;
+
+exports[`main-private-key-with-escaped-newlines.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-proxy-requires-native-support.test.js > stderr 1`] = `
+A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.
+`;
+
+exports[`main-proxy-requires-native-support.test.js > stdout 1`] = `
+::error::A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.
+`;
+
+exports[`main-repo-skew.test.js > stderr 1`] = `
+'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued.
+[@octokit/auth-app] GitHub API time and system time are different by 30 seconds. Retrying request with the difference accounted for.
+`;
+
+exports[`main-repo-skew.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/failed-repo
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/failed-repo/installation
+GET /repos/actions/failed-repo/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["failed-repo"]}
+`;
+
+exports[`main-token-get-owner-set-fail-response.test.js > stdout 1`] = `
+Input 'repositories' is not set. Creating token for all repositories owned by smockle.
+Failed to create token for "smockle" (attempt 1): GitHub API not available
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /users/smockle/installation
+GET /users/smockle/installation
+POST /app/installations/123456/access_tokens
+null
+`;
+
+exports[`main-token-get-owner-set-repo-fail-response.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/failed-repo
+Failed to create token for "failed-repo" (attempt 1): GitHub API not available
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/failed-repo/installation
+GET /repos/actions/failed-repo/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["failed-repo"]}
+`;
+
+exports[`main-token-get-owner-set-repo-set-to-many-newline.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/create-github-app-token
+- actions/toolkit
+- actions/checkout
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token","toolkit","checkout"]}
+`;
+
+exports[`main-token-get-owner-set-repo-set-to-many.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/create-github-app-token
+- actions/toolkit
+- actions/checkout
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token","toolkit","checkout"]}
+`;
+
+exports[`main-token-get-owner-set-repo-set-to-one.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/create-github-app-token
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-token-get-owner-set-repo-unset.test.js > stdout 1`] = `
+Input 'repositories' is not set. Creating token for all repositories owned by actions.
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /users/actions/installation
+POST /app/installations/123456/access_tokens
+null
+`;
+
+exports[`main-token-get-owner-unset-repo-set.test.js > stdout 1`] = `
+No 'owner' input provided. Using default owner 'actions' to create token for the following repositories:
+- actions/create-github-app-token
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-token-get-owner-unset-repo-unset.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-token-permissions-set.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"],"permissions":{"issues":"write","pull_requests":"read"}}
+`;
+
+exports[`post-proxy-requires-native-support.test.js > stderr 1`] = `
+A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.
+`;
+
+exports[`post-proxy-requires-native-support.test.js > stdout 1`] = `
+::error::A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.
+`;
+
+exports[`post-revoke-token-fail-response.test.js > stdout 1`] = `
+::warning::Token revocation failed: 
+`;
+
+exports[`post-token-expired.test.js > stdout 1`] = `
+Token expired, skipping token revocation
+`;
+
+exports[`post-token-set.test.js > stdout 1`] = `
+Token revoked
+`;
+
+exports[`post-token-skipped.test.js > stdout 1`] = `
+Token revocation was skipped
+`;
+
+exports[`post-token-unset.test.js > stdout 1`] = `
+Token is not set
+`;

tests/main-app-id-fallback.test.js

@@ -0,0 +1,11 @@
+import { DEFAULT_ENV, test } from "./main.js";
+
+// Verify `main` falls back to `app-id` when `client-id` is not set
+await test(
+  () => {},
+  {
+    ...DEFAULT_ENV,
+    "INPUT_CLIENT-ID": "",
+    "INPUT_APP-ID": "123456",
+  }
+);

tests/main-client-id-precedence.test.js

@@ -0,0 +1,11 @@
+import { DEFAULT_ENV, test } from "./main.js";
+
+// Verify `client-id` takes precedence when both `client-id` and `app-id` are set
+await test(
+  () => {},
+  {
+    ...DEFAULT_ENV,
+    "INPUT_CLIENT-ID": "Iv1.0123456789abcdef",
+    "INPUT_APP-ID": "123456",
+  }
+);

tests/main-enterprise-fail-response.test.js

@@ -0,0 +1,39 @@
+import { test } from "./main.js";
+
+// Verify enterprise installation lookup retries when the GitHub API returns a 500 error.
+await test((mockPool) => {
+  process.env.INPUT_ENTERPRISE = "test-enterprise";
+  delete process.env.INPUT_OWNER;
+  delete process.env.INPUT_REPOSITORIES;
+
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+
+  mockPool
+    .intercept({
+      path: "/enterprises/test-enterprise/installation",
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(500, "GitHub API not available");
+
+  mockPool
+    .intercept({
+      path: "/enterprises/test-enterprise/installation",
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId, app_slug: mockAppSlug },
+      { headers: { "content-type": "application/json" } },
+    );
+});

tests/main-enterprise-installation-not-found.test.js

@@ -0,0 +1,25 @@
+import { test } from "./main.js";
+
+// Verify `main` handles when no enterprise installation is found.
+await test((mockPool) => {
+  delete process.env.INPUT_OWNER;
+  delete process.env.INPUT_REPOSITORIES;
+  process.env.INPUT_ENTERPRISE = "test-enterprise";
+
+  // Mock the enterprise installation endpoint to return no matching installation
+  mockPool
+    .intercept({
+      path: "/enterprises/test-enterprise/installation",
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      404,
+      { message: "Not Found" },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main-enterprise-mutual-exclusivity-owner.test.js

@@ -0,0 +1,15 @@
+import { DEFAULT_ENV } from "./main.js";
+
+// Verify `main` exits with an error when `enterprise` is used with `owner` input.
+try {
+  // Set up environment with enterprise and owner set
+  for (const [key, value] of Object.entries(DEFAULT_ENV)) {
+    process.env[key] = value;
+  }
+  process.env.INPUT_ENTERPRISE = "test-enterprise";
+  process.env.INPUT_OWNER = "test-owner";
+  
+  await import("../main.js");
+} catch (error) {
+  console.error(error.message);
+}

tests/main-enterprise-mutual-exclusivity-repositories.test.js

@@ -0,0 +1,15 @@
+import { DEFAULT_ENV } from "./main.js";
+
+// Verify `main` exits with an error when `enterprise` is used with `repositories` input.
+try {
+  // Set up environment with enterprise and repositories set
+  for (const [key, value] of Object.entries(DEFAULT_ENV)) {
+    process.env[key] = value;
+  }
+  process.env.INPUT_ENTERPRISE = "test-enterprise";
+  process.env.INPUT_REPOSITORIES = "repo1,repo2";
+  
+  await import("../main.js");
+} catch (error) {
+  console.error(error.message);
+}

tests/main-enterprise-only-success.test.js

@@ -0,0 +1,30 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when only the `enterprise` input is set.
+await test((mockPool) => {
+  process.env.INPUT_ENTERPRISE = "test-enterprise";
+  delete process.env.INPUT_OWNER;
+  delete process.env.INPUT_REPOSITORIES;
+
+  // Mock the enterprise installation endpoint
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+  mockPool
+    .intercept({
+      path: "/enterprises/test-enterprise/installation",
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      {
+        id: mockInstallationId,
+        app_slug: mockAppSlug,
+      },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main-enterprise-token-with-permissions.test.js

@@ -0,0 +1,32 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully generates enterprise token with specific permissions.
+await test((mockPool) => {
+  process.env.INPUT_ENTERPRISE = "test-enterprise";
+  delete process.env.INPUT_OWNER;
+  delete process.env.INPUT_REPOSITORIES;
+  process.env["INPUT_PERMISSION-ENTERPRISE-ORGANIZATIONS"] = "read";
+  process.env["INPUT_PERMISSION-ENTERPRISE-PEOPLE"] = "write";
+
+  // Mock the enterprise installation endpoint
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+  mockPool
+    .intercept({
+      path: "/enterprises/test-enterprise/installation",
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      {
+        id: mockInstallationId,
+        app_slug: mockAppSlug,
+      },
+      { headers: { "content-type": "application/json" } }
+    );
+});

tests/main-missing-client-and-app-id.test.js

@@ -0,0 +1,20 @@
+import { DEFAULT_ENV } from "./main.js";
+
+for (const [key, value] of Object.entries({
+  ...DEFAULT_ENV,
+  "INPUT_CLIENT-ID": "",
+  "INPUT_APP-ID": "",
+})) {
+  process.env[key] = value;
+}
+
+// Log only the error message, not the full stack trace, because the stack
+// trace contains environment-specific paths and ANSI codes that differ
+// between local and CI environments.
+const _error = console.error;
+console.error = (err) => _error(err?.message ?? err);
+
+// Verify `main` exits with an error when neither `client-id` nor `app-id` is set.
+const { default: promise } = await import("../main.js");
+await promise;
+process.exitCode = 0;

tests/main-proxy-requires-native-support.test.js

@@ -0,0 +1,14 @@
+process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+process.env.GITHUB_REPOSITORY_OWNER = "actions";
+process.env.HTTPS_PROXY = "http://127.0.0.1:3128";
+
+const originalConsoleError = console.error;
+console.error = (...args) => {
+  originalConsoleError(
+    ...args.map((arg) => (arg instanceof Error ? arg.message : arg)),
+  );
+};
+
+await import("../main.js");
+await new Promise((resolve) => setImmediate(resolve));
+process.exitCode = 0;

tests/main-repo-skew.test.js

@@ -1,6 +1,6 @@
-import { test } from "./main.js";
+import { mock } from "node:test";
 
-import { install } from "@sinonjs/fake-timers";
+import { test } from "./main.js";
 
 // Verify `main` retry when the clock has drifted.
 await test((mockPool) => {
@@ -11,7 +11,7 @@ await test((mockPool) => {
   const mockInstallationId = "123456";
   const mockAppSlug = "github-actions";
 
-  install({ now: 0, toFake: ["Date"] });
+  mock.timers.enable({ apis: ["Date"], now: 0 });
 
   mockPool
     .intercept({
@@ -59,4 +59,6 @@ await test((mockPool) => {
       };
     })
     .times(2);
+}).finally(() => {
+  mock.timers.reset();
 });

tests/main.js

@@ -9,7 +9,7 @@ export const DEFAULT_ENV = {
   // https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
   "INPUT_GITHUB-API-URL": "https://api.github.com",
   "INPUT_SKIP-TOKEN-REVOKE": "false",
-  "INPUT_APP-ID": "123456",
+  "INPUT_CLIENT-ID": "Iv1.0123456789abcdef",
   // This key is invalidated. It’s from https://github.com/octokit/auth-app.js/issues/465#issuecomment-1564998327.
   "INPUT_PRIVATE-KEY": `-----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEA280nfuUM9w00Ib9E2rvZJ6Qu3Ua3IqR34ZlK53vn/Iobn2EL

tests/post-proxy-requires-native-support.test.js

@@ -0,0 +1,13 @@
+process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+process.env.HTTPS_PROXY = "http://127.0.0.1:3128";
+
+const originalConsoleError = console.error;
+console.error = (...args) => {
+  originalConsoleError(
+    ...args.map((arg) => (arg instanceof Error ? arg.message : arg)),
+  );
+};
+
+await import("../post.js");
+await new Promise((resolve) => setImmediate(resolve));
+process.exitCode = 0;

tests/snapshots/index.js.md

@@ -1,384 +0,0 @@
-# Snapshot report for `tests/index.js`
-
-The actual snapshot is saved in `index.js.snap`.
-
-Generated by [AVA](https://avajs.dev).
-
-## action-deprecated-inputs.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    ''
-
-## main-custom-github-api-url.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
-          ␊
-    - actions/create-github-app-token␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /api/v3/repos/actions/create-github-app-token/installation␊
-    POST /api/v3/app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token"]}`
-
-## main-missing-owner.test.js
-
-> stderr
-
-    'GITHUB_REPOSITORY_OWNER missing, must be set to \'<owner>\''
-
-> stdout
-
-    ''
-
-## main-missing-repository.test.js
-
-> stderr
-
-    'GITHUB_REPOSITORY missing, must be set to \'<owner>/<repo>\''
-
-> stdout
-
-    ''
-
-## main-private-key-with-escaped-newlines.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/create-github-app-token/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token"]}`
-
-## main-repo-skew.test.js
-
-> stderr
-
-    `'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued.␊
-    [@octokit/auth-app] GitHub API time and system time are different by 30 seconds. Retrying request with the difference accounted for.`
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
-          ␊
-    - actions/failed-repo␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/failed-repo/installation␊
-    GET /repos/actions/failed-repo/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["failed-repo"]}`
-
-## main-token-get-owner-set-fail-response.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Input 'repositories' is not set. Creating token for all repositories owned by smockle.␊
-    Failed to create token for "smockle" (attempt 1): GitHub API not available␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /users/smockle/installation␊
-    GET /users/smockle/installation␊
-    POST /app/installations/123456/access_tokens␊
-    null`
-
-## main-token-get-owner-set-repo-fail-response.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
-          ␊
-    - actions/failed-repo␊
-    Failed to create token for "failed-repo" (attempt 1): GitHub API not available␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/failed-repo/installation␊
-    GET /repos/actions/failed-repo/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["failed-repo"]}`
-
-## main-token-get-owner-set-repo-set-to-many-newline.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
-          ␊
-    - actions/create-github-app-token␊
-    - actions/toolkit␊
-    - actions/checkout␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/create-github-app-token/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token","toolkit","checkout"]}`
-
-## main-token-get-owner-set-repo-set-to-many.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
-          ␊
-    - actions/create-github-app-token␊
-    - actions/toolkit␊
-    - actions/checkout␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/create-github-app-token/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token","toolkit","checkout"]}`
-
-## main-token-get-owner-set-repo-set-to-one.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
-          ␊
-    - actions/create-github-app-token␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/create-github-app-token/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token"]}`
-
-## main-token-get-owner-set-repo-unset.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Input 'repositories' is not set. Creating token for all repositories owned by actions.␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /users/actions/installation␊
-    POST /app/installations/123456/access_tokens␊
-    null`
-
-## main-token-get-owner-unset-repo-set.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `No 'owner' input provided. Using default owner 'actions' to create token for the following repositories:␊
-    - actions/create-github-app-token␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/create-github-app-token/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token"]}`
-
-## main-token-get-owner-unset-repo-unset.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/create-github-app-token/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token"]}`
-
-## main-token-permissions-set.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/create-github-app-token/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token"],"permissions":{"issues":"write","pull_requests":"read"}}`
-
-## post-revoke-token-fail-response.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    '::warning::Token revocation failed: '
-
-## post-token-expired.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    'Token expired, skipping token revocation'
-
-## post-token-set.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    'Token revoked'
-
-## post-token-skipped.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    'Token revocation was skipped'
-
-## post-token-unset.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    'Token is not set'