refactor: rename internal appId variable to clientId

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

.github/workflows/publish-immutable-action.yml

@@ -12,6 +12,6 @@ jobs:
       id-token: write
       packages: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Publish Immutable Action
         uses: actions/publish-immutable-action@v0.0.4

.github/workflows/release.yml

@@ -3,7 +3,9 @@ name: release
 on:
   push:
     branches:
+      - "*.x"
       - main
+      - beta
 
 permissions:
   contents: write
@@ -16,14 +18,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # build local version to create token
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
-          node-version-file: .node-version
-          cache: 'npm'
+          node-version-file: package.json
 
       - run: npm ci
       - run: npm run build

.github/workflows/stale.yml

@@ -0,0 +1,34 @@
+# This workflow warns and then closes issues that have had no activity for a specified amount of time.
+# https://github.com/actions/stale
+
+name: Stale
+
+on:
+  workflow_dispatch:
+  schedule:
+    # 00:00 UTC on Mondays
+    - cron: '0 0 * * 1'
+
+permissions:
+  issues: write
+  pull-requests: write
+
+env:
+  DAYS_BEFORE_STALE: 180
+  DAYS_BEFORE_CLOSE: 60
+  STALE_LABEL: 'stale'
+  STALE_LABEL_URL: ${{github.server_url}}/${{github.repository}}/labels/stale
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v10
+        with:
+          operations-per-run: 100
+          days-before-stale: ${{ env.DAYS_BEFORE_STALE }}
+          days-before-close: ${{ env.DAYS_BEFORE_CLOSE }}
+          stale-issue-label: ${{ env.STALE_LABEL }}
+          stale-pr-label: ${{ env.STALE_LABEL }}
+          stale-issue-message: 'This issue has been marked ${{ env.STALE_LABEL_URL }} because it has been open for ${{ env.DAYS_BEFORE_STALE }} days with no activity. Please close this issue if it is no longer needed. If this issue is still relevant and you would like it to remain open, simply update it within the next ${{ env.DAYS_BEFORE_CLOSE }} days.'
+          stale-pr-message: 'This pull request has been marked ${{ env.STALE_LABEL_URL }} because it has been open for ${{ env.DAYS_BEFORE_STALE }} days with no activity. Please close this pull request if it is no longer needed. If this pull request is still relevant and you would like it to remain open, simply update it within the next ${{ env.DAYS_BEFORE_CLOSE }} days.'

.github/workflows/test.yml

@@ -4,39 +4,42 @@ on:
   push:
     branches:
       - main
+      - beta
   pull_request:
+  merge_group:
   workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   integration:
-    name: Integration
+    name: integration
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
-          node-version-file: .node-version
-          cache: 'npm'
+          node-version-file: package.json
 
       - run: npm ci
       - run: npm test
 
   end-to-end:
-    name: End-to-End
+    name: end-to-end
     runs-on: ubuntu-latest
     # do not run from forks, as forks don’t have access to repository secrets
-    if: github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
-          node-version: 20
-          cache: "npm"
+          node-version-file: package.json
       - run: npm ci
       - run: npm run build
       - uses: ./ # Uses the action in the root directory
@@ -51,3 +54,28 @@ jobs:
         with:
           route: GET /installation/repositories
       - run: echo '${{ steps.get-repository.outputs.data }}'
+
+  end-to-end-proxy:
+    name: end-to-end with unreachable proxy
+    runs-on: ubuntu-latest
+    # do not run from forks, as forks don’t have access to repository secrets
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version-file: package.json
+          cache: 'npm'
+      - run: npm ci
+      - run: npm run build
+      - uses: ./ # Uses the action in the root directory
+        continue-on-error: true
+        id: test
+        env:
+          NODE_USE_ENV_PROXY: "1"
+          https_proxy: http://127.0.0.1:9
+        with:
+          app-id: ${{ vars.TEST_APP_ID }}
+          private-key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
+      - name: Assert action failed through unreachable proxy
+        run: test "${{ steps.test.outcome }}" = "failure"

.github/workflows/update-permission-inputs.yml

@@ -13,21 +13,30 @@ concurrency:
 
 permissions:
   contents: write
+  pull-requests: write
 
 jobs:
   update-permission-inputs:
     runs-on: ubuntu-latest
+    env:
+      COMMIT_MESSAGE: 'feat: update permission inputs'
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
-          node-version-file: .node-version
-          cache: 'npm'
+          node-version-file: package.json
       - name: Install dependencies
         run: npm ci
       - name: Run permission inputs update script
         run: node scripts/update-permission-inputs.js
       - name: Commit changes
-        uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
+        id: auto-commit
+        uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
         with:
-          commit_message: 'feat: update permission inputs'
+          commit_message: ${{ env.COMMIT_MESSAGE }}
+      - name: Update PR title
+        if: github.event_name == 'pull_request' && steps.auto-commit.outputs.changes_detected == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr edit ${{ github.event.pull_request.number }} --title "${{ env.COMMIT_MESSAGE }}"

.node-version

@@ -1 +0,0 @@
-20.9.0

CONTRIBUTING.md

@@ -12,4 +12,4 @@ Run tests locally
 npm test
 ```
 
-Learn more about how the tests work in [test/README.md](test/README.md).
+Learn more about how the tests work in [tests/README.md](tests/README.md).

README.md

@@ -8,9 +8,11 @@ GitHub Action for creating a GitHub App installation access token.
 
 In order to use this action, you need to:
 
-1. [Register new GitHub App](https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app)
-2. [Store the App's ID in your repository environment variables](https://docs.github.com/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_ID`)
-3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets?tool=webui#creating-encrypted-secrets-for-a-repository) (example: `PRIVATE_KEY`)
+1. [Register new GitHub App](https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app).
+2. [Store the App's Client ID in your repository environment variables](https://docs.github.com/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_CLIENT_ID`).
+3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets?tool=webui#creating-encrypted-secrets-for-a-repository) (example: `PRIVATE_KEY`).
+
+Pass the App's Client ID using the `client-id` input. The legacy `app-id` input remains available for compatibility, but is deprecated.
 
 > [!IMPORTANT]  
 > An installation access token expires after 1 hour. Please [see this comment](https://github.com/actions/create-github-app-token/issues/121#issuecomment-2043214796) for alternative approaches if you have long-running processes.
@@ -28,10 +30,10 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
-          app-id: ${{ vars.APP_ID }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
       - uses: ./actions/staging-tests
         with:
@@ -47,19 +49,19 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           # required
-          app-id: ${{ vars.APP_ID }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           token: ${{ steps.app-token.outputs.token }}
           ref: ${{ github.head_ref }}
           # Make sure the value of GITHUB_TOKEN will not be persisted in repo's config
           persist-credentials: false
-      - uses: creyD/prettier_action@v4.3
+      - uses: creyD/prettier_action@v6
         with:
           github_token: ${{ steps.app-token.outputs.token }}
 ```
@@ -73,11 +75,11 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           # required
-          app-id: ${{ vars.APP_ID }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
       - name: Get GitHub App User ID
         id: get-user-id
@@ -98,11 +100,11 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           # required
-          app-id: ${{ vars.APP_ID }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
       - name: Get GitHub App User ID
         id: get-user-id
@@ -135,13 +137,13 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
-          app-id: ${{ vars.APP_ID }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
-      - uses: peter-evans/create-or-update-comment@v3
+      - uses: peter-evans/create-or-update-comment@v4
         with:
           token: ${{ steps.app-token.outputs.token }}
           issue-number: ${{ github.event.issue.number }}
@@ -157,16 +159,16 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
-          app-id: ${{ vars.APP_ID }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           repositories: |
             repo1
             repo2
-      - uses: peter-evans/create-or-update-comment@v3
+      - uses: peter-evans/create-or-update-comment@v4
         with:
           token: ${{ steps.app-token.outputs.token }}
           issue-number: ${{ github.event.issue.number }}
@@ -182,13 +184,13 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
-          app-id: ${{ vars.APP_ID }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
           owner: another-owner
-      - uses: peter-evans/create-or-update-comment@v3
+      - uses: peter-evans/create-or-update-comment@v4
         with:
           token: ${{ steps.app-token.outputs.token }}
           issue-number: ${{ github.event.issue.number }}
@@ -207,14 +209,14 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
-          app-id: ${{ vars.APP_ID }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           permission-issues: write
-      - uses: peter-evans/create-or-update-comment@v3
+      - uses: peter-evans/create-or-update-comment@v4
         with:
           token: ${{ steps.app-token.outputs.token }}
           issue-number: ${{ github.event.issue.number }}
@@ -249,10 +251,10 @@ jobs:
         owners-and-repos: ${{ fromJson(needs.set-matrix.outputs.matrix) }}
 
     steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
-          app-id: ${{ vars.APP_ID }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
           owner: ${{ matrix.owners-and-repos.owner }}
           repositories: ${{ join(matrix.owners-and-repos.repos) }}
@@ -279,9 +281,9 @@ jobs:
     steps:
       - name: Create GitHub App token
         id: create_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v3
         with:
-          app-id: ${{ vars.GHES_APP_ID }}
+          client-id: ${{ vars.GHES_APP_CLIENT_ID }}
           private-key: ${{ secrets.GHES_APP_PRIVATE_KEY }}
           owner: ${{ vars.GHES_INSTALLATION_ORG }}
           github-api-url: ${{ vars.GITHUB_API_URL }}
@@ -296,11 +298,38 @@ jobs:
           GITHUB_TOKEN: ${{ steps.create_token.outputs.token }}
 ```
 
+### Proxy support
+
+This action relies on Node.js native proxy support.
+
+If you set `HTTP_PROXY` or `HTTPS_PROXY`, also set `NODE_USE_ENV_PROXY: "1"` on the action step so Node.js honors those variables. If you need proxy bypass rules, set `NO_PROXY` alongside them.
+
+```yaml
+- uses: actions/create-github-app-token@v3
+  id: app-token
+  env:
+    HTTPS_PROXY: http://proxy.example.com:8080
+    NO_PROXY: github.example.com
+    NODE_USE_ENV_PROXY: "1"
+  with:
+    client-id: ${{ vars.APP_CLIENT_ID }}
+    private-key: ${{ secrets.PRIVATE_KEY }}
+```
+
 ## Inputs
 
+### `client-id`
+
+**Optional:** GitHub App Client ID. This is the recommended input.
+
 ### `app-id`
 
-**Required:** GitHub App ID.
+**Optional:** GitHub App ID.
+
+> [!WARNING]
+> `app-id` is deprecated. Use `client-id` instead.
+
+You must set either `client-id` or `app-id`. If both are set, `client-id` takes precedence.
 
 ### `private-key`
 
@@ -318,9 +347,9 @@ steps:
       echo "private-key=$private_key" >> "$GITHUB_OUTPUT"
   - name: Generate GitHub App Token
     id: app-token
-    uses: actions/create-github-app-token@v1
+    uses: actions/create-github-app-token@v3
     with:
-      app-id: ${{ vars.APP_ID }}
+      client-id: ${{ vars.APP_CLIENT_ID }}
       private-key: ${{ steps.decode.outputs.private-key }}
 ```
 
@@ -343,7 +372,7 @@ The reason we define one `permision-<permission name>` input per permission is t
 
 ### `skip-token-revoke`
 
-**Optional:** If truthy, the token will not be revoked when the current job is complete.
+**Optional:** If true, the token will not be revoked when the current job is complete.
 
 ### `github-api-url`
 
@@ -370,7 +399,7 @@ The action creates an installation access token using [the `POST /app/installati
 1. The token is scoped to the current repository or `repositories` if set.
 2. The token inherits all the installation's permissions.
 3. The token is set as output `token` which can be used in subsequent steps.
-4. Unless the `skip-token-revoke` input is set to a truthy value, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
+4. Unless the `skip-token-revoke` input is set to true, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
 5. The token is masked, it cannot be logged accidentally.
 
 > [!NOTE]

action.yml

@@ -5,9 +5,13 @@ branding:
   icon: "lock"
   color: "gray-dark"
 inputs:
+  client-id:
+    description: "GitHub App Client ID"
+    required: false
   app-id:
     description: "GitHub App ID"
-    required: true
+    required: false
+    deprecationMessage: "Use 'client-id' instead."
   private-key:
     description: "GitHub App private key"
     required: true
@@ -18,8 +22,9 @@ inputs:
     description: "Comma or newline-separated list of repositories to install the GitHub App on (defaults to current repository if owner is unset)"
     required: false
   skip-token-revoke:
-    description: "If truthy, the token will not be revoked when the current job is complete"
+    description: "If true, the token will not be revoked when the current job is complete"
     required: false
+    default: "false"
   # Make GitHub API configurable to support non-GitHub Cloud use cases
   # see https://github.com/actions/create-github-app-token/issues/77
   github-api-url:
@@ -36,12 +41,16 @@ inputs:
     description: "The level of permission to grant the access token to create, edit, delete, and list Codespaces. Can be set to 'read' or 'write'."
   permission-contents:
     description: "The level of permission to grant the access token for repository contents, commits, branches, downloads, releases, and merges. Can be set to 'read' or 'write'."
+  permission-custom-properties-for-organizations:
+    description: "The level of permission to grant the access token to view and edit custom properties for an organization, when allowed by the property. Can be set to 'read' or 'write'."
   permission-dependabot-secrets:
     description: "The level of permission to grant the access token to manage Dependabot secrets. Can be set to 'read' or 'write'."
   permission-deployments:
     description: "The level of permission to grant the access token for deployments and deployment statuses. Can be set to 'read' or 'write'."
   permission-email-addresses:
     description: "The level of permission to grant the access token to manage the email addresses belonging to a user. Can be set to 'read' or 'write'."
+  permission-enterprise-custom-properties-for-organizations:
+    description: "The level of permission to grant the access token for organization custom properties management at the enterprise level. Can be set to 'read', 'write', or 'admin'."
   permission-environments:
     description: "The level of permission to grant the access token for managing repository environments. Can be set to 'read' or 'write'."
   permission-followers:
@@ -67,7 +76,7 @@ inputs:
   permission-organization-custom-org-roles:
     description: "The level of permission to grant the access token for custom organization roles management. Can be set to 'read' or 'write'."
   permission-organization-custom-properties:
-    description: "The level of permission to grant the access token for custom property management. Can be set to 'read', 'write', or 'admin'."
+    description: "The level of permission to grant the access token for repository custom properties management at the organization level. Can be set to 'read', 'write', or 'admin'."
   permission-organization-custom-roles:
     description: "The level of permission to grant the access token for custom repository roles management. Can be set to 'read' or 'write'."
   permission-organization-events:
@@ -131,6 +140,6 @@ outputs:
   app-slug:
     description: "GitHub App slug"
 runs:
-  using: "node20"
+  using: "node24"
   main: "dist/main.cjs"
   post: "dist/post.cjs"

lib/get-permissions-from-inputs.js

@@ -7,9 +7,13 @@
  */
 export function getPermissionsFromInputs(env) {
   return Object.entries(env).reduce((permissions, [key, value]) => {
-    if (!key.startsWith("INPUT_PERMISSION_")) return permissions;
+    if (!key.startsWith("INPUT_PERMISSION-")) return permissions;
+    if (!value) return permissions;
 
-    const permission = key.slice("INPUT_PERMISSION_".length).toLowerCase();
+    const permission = key.slice("INPUT_PERMISSION-".length).toLowerCase()
+      .replaceAll(/-/g, "_");
+
+    // Inherit app permissions if no permissions inputs are set
     if (permissions === undefined) {
       return { [permission]: value };
     }

lib/main.js

@@ -2,7 +2,7 @@ import pRetry from "p-retry";
 // @ts-check
 
 /**
- * @param {string} appId
+ * @param {string} clientId
  * @param {string} privateKey
  * @param {string} owner
  * @param {string[]} repositories
@@ -13,7 +13,7 @@ import pRetry from "p-retry";
  * @param {boolean} skipTokenRevoke
  */
 export async function main(
-  appId,
+  clientId,
   privateKey,
   owner,
   repositories,
@@ -70,7 +70,7 @@ export async function main(
   }
 
   const auth = createAppAuth({
-    appId,
+    appId: clientId,
     privateKey,
     request,
   });
@@ -89,11 +89,12 @@ export async function main(
           permissions
         ),
       {
-        onFailedAttempt: (error) => {
+        shouldRetry: ({ error }) => error.status >= 500,
+        onFailedAttempt: (context) => {
           core.info(
             `Failed to create token for "${parsedRepositoryNames.join(
               ","
-            )}" (attempt ${error.attemptNumber}): ${error.message}`
+            )}" (attempt ${context.attemptNumber}): ${context.error.message}`
           );
         },
         retries: 3,
@@ -104,9 +105,9 @@ export async function main(
     ({ authentication, installationId, appSlug } = await pRetry(
       () => getTokenFromOwner(request, auth, parsedOwner, permissions),
       {
-        onFailedAttempt: (error) => {
+        onFailedAttempt: (context) => {
           core.info(
-            `Failed to create token for "${parsedOwner}" (attempt ${error.attemptNumber}): ${error.message}`
+            `Failed to create token for "${parsedOwner}" (attempt ${context.attemptNumber}): ${context.error.message}`
           );
         },
         retries: 3,

lib/post.js

@@ -5,7 +5,7 @@
  * @param {import("@octokit/request").request} request
  */
 export async function post(core, request) {
-  const skipTokenRevoke = Boolean(core.getInput("skip-token-revoke"));
+  const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
 
   if (skipTokenRevoke) {
     core.info("Token revocation was skipped");

lib/request.js

@@ -1,41 +1,36 @@
-import core from "@actions/core";
+import * as core from "@actions/core";
 import { request } from "@octokit/request";
-import { ProxyAgent, fetch as undiciFetch } from "undici";
 
+// Get the GitHub API URL from the action input and remove any trailing slash
 const baseUrl = core.getInput("github-api-url").replace(/\/$/, "");
 
-// https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners
-const proxyUrl =
-  process.env.https_proxy ||
-  process.env.HTTPS_PROXY ||
-  process.env.http_proxy ||
-  process.env.HTTP_PROXY;
+const proxyEnvironmentKeys = [
+  "https_proxy",
+  "HTTPS_PROXY",
+  "http_proxy",
+  "HTTP_PROXY",
+];
 
-/* c8 ignore start */
-// Native support for proxies in Undici is under consideration: https://github.com/nodejs/undici/issues/1650
-// Until then, we need to use a custom fetch function to add proxy support.
-const proxyFetch = (url, options) => {
-  const urlHost = new URL(url).hostname;
-  const noProxy = (process.env.no_proxy || process.env.NO_PROXY || "").split(
-    ",",
-  );
+function proxyEnvironmentConfigured() {
+  return proxyEnvironmentKeys.some((key) => process.env[key]);
+}
 
-  if (!noProxy.includes(urlHost)) {
-    options = {
-      ...options,
-      dispatcher: new ProxyAgent(String(proxyUrl)),
-    };
+function nativeProxySupportEnabled() {
+  return process.env.NODE_USE_ENV_PROXY === "1";
+}
+
+export function ensureNativeProxySupport() {
+  if (!proxyEnvironmentConfigured() || nativeProxySupportEnabled()) {
+    return;
   }
 
-  return undiciFetch(url, options);
-};
-/* c8 ignore stop */
+  throw new Error(
+    "A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.",
+  );
+}
 
+// Configure the default settings for GitHub API requests
 export default request.defaults({
-  headers: {
-    "user-agent": "actions/create-github-app-token",
-  },
+  headers: { "user-agent": "actions/create-github-app-token" },
   baseUrl,
-  /* c8 ignore next */
-  request: proxyUrl ? { fetch: proxyFetch } : {},
 });

main.js

@@ -1,11 +1,11 @@
 // @ts-check
 
-import core from "@actions/core";
+import * as core from "@actions/core";
 import { createAppAuth } from "@octokit/auth-app";
 
 import { getPermissionsFromInputs } from "./lib/get-permissions-from-inputs.js";
 import { main } from "./lib/main.js";
-import request from "./lib/request.js";
+import request, { ensureNativeProxySupport } from "./lib/request.js";
 
 if (!process.env.GITHUB_REPOSITORY) {
   throw new Error("GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'");
@@ -15,31 +15,40 @@ if (!process.env.GITHUB_REPOSITORY_OWNER) {
   throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
 }
 
-const appId = core.getInput("app-id");
-const privateKey = core.getInput("private-key");
-const owner = core.getInput("owner");
-const repositories = core
-  .getInput("repositories")
-  .split(/[\n,]+/)
-  .map((s) => s.trim())
-  .filter((x) => x !== "");
+async function run() {
+  ensureNativeProxySupport();
 
-const skipTokenRevoke = Boolean(core.getInput("skip-token-revoke"));
+  const clientId = core.getInput("client-id") || core.getInput("app-id");
+  if (!clientId) {
+    throw new Error("Either 'client-id' or 'app-id' input must be set");
+  }
+  const privateKey = core.getInput("private-key");
+  const owner = core.getInput("owner");
+  const repositories = core
+    .getInput("repositories")
+    .split(/[\n,]+/)
+    .map((s) => s.trim())
+    .filter((x) => x !== "");
 
-const permissions = getPermissionsFromInputs(process.env);
+  const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
+
+  const permissions = getPermissionsFromInputs(process.env);
+
+  return main(
+    clientId,
+    privateKey,
+    owner,
+    repositories,
+    permissions,
+    core,
+    createAppAuth,
+    request,
+    skipTokenRevoke,
+  );
+}
 
 // Export promise for testing
-export default main(
-  appId,
-  privateKey,
-  owner,
-  repositories,
-  permissions,
-  core,
-  createAppAuth,
-  request,
-  skipTokenRevoke,
-).catch((error) => {
+export default run().catch((error) => {
   /* c8 ignore next 3 */
   console.error(error);
   core.setFailed(error.message);

package.json

@@ -2,37 +2,41 @@
   "name": "create-github-app-token",
   "private": true,
   "type": "module",
-  "version": "2.0.2",
+  "version": "3.0.0",
   "description": "GitHub Action for creating a GitHub App Installation Access Token",
+  "engines": {
+    "node": ">=24.4.0"
+  },
+  "packageManager": "npm@10.9.4",
   "scripts": {
-    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0 --packages=bundle",
-    "test": "c8 --100 ava tests/index.js",
+    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --packages=bundle",
+    "test": "c8 --100 node --test tests/index.js",
     "coverage": "c8 report --reporter html",
     "postcoverage": "open-cli coverage/index.html"
   },
   "license": "MIT",
   "dependencies": {
-    "@actions/core": "^1.11.1",
-    "@octokit/auth-app": "^7.2.0",
-    "@octokit/request": "^9.2.2",
-    "p-retry": "^6.2.1",
-    "undici": "^7.7.0"
+    "@actions/core": "^3.0.0",
+    "@octokit/auth-app": "^8.2.0",
+    "@octokit/request": "^10.0.8",
+    "p-retry": "^7.1.1"
   },
   "devDependencies": {
-    "@octokit/openapi": "^18.2.0",
-    "@sinonjs/fake-timers": "^14.0.0",
-    "ava": "^6.2.0",
+    "@octokit/openapi": "^21.0.0",
     "c8": "^10.1.3",
-    "dotenv": "^16.4.7",
-    "esbuild": "^0.25.2",
-    "execa": "^9.5.2",
+    "esbuild": "^0.27.3",
     "open-cli": "^8.0.0",
-    "yaml": "^2.7.1"
+    "undici": "^7.24.1",
+    "yaml": "^2.8.2"
   },
   "release": {
     "branches": [
       "+([0-9]).x",
-      "main"
+      "main",
+      {
+        "name": "beta",
+        "prerelease": true
+      }
     ],
     "plugins": [
       "@semantic-release/commit-analyzer",

post.js

@@ -1,11 +1,17 @@
 // @ts-check
 
-import core from "@actions/core";
+import * as core from "@actions/core";
 
 import { post } from "./lib/post.js";
-import request from "./lib/request.js";
+import request, { ensureNativeProxySupport } from "./lib/request.js";
 
-post(core, request).catch((error) => {
+async function run() {
+  ensureNativeProxySupport();
+
+  return post(core, request);
+}
+
+run().catch((error) => {
   /* c8 ignore next 3 */
   console.error(error);
   core.setFailed(error.message);

scripts/generated/app-permissions.json

@@ -187,6 +187,14 @@
         "write"
       ]
     },
+    "custom_properties_for_organizations": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to view and edit custom properties for an organization, when allowed by the property.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
     "members": {
       "type": "string",
       "description": "The level of permission to grant the access token for organization teams and members.",
@@ -221,7 +229,7 @@
     },
     "organization_custom_properties": {
       "type": "string",
-      "description": "The level of permission to grant the access token for custom property management.",
+      "description": "The level of permission to grant the access token for repository custom properties management at the organization level.",
       "enum": [
         "read",
         "write",
@@ -384,6 +392,15 @@
         "read",
         "write"
       ]
+    },
+    "enterprise_custom_properties_for_organizations": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for organization custom properties management at the enterprise level.",
+      "enum": [
+        "read",
+        "write",
+        "admin"
+      ]
     }
   },
   "example": {

tests/README.md

@@ -2,14 +2,14 @@
 
 Add one test file per scenario. You can run them in isolation with:
 
-```bash
+```
 node tests/post-token-set.test.js
 ```
 
-All tests are run together in [tests/index.js](index.js), which can be executed with ava
+All tests are run together in [tests/index.js](index.js), which can be executed with Node's built-in test runner
 
 ```
-npx ava tests/index.js
+node --test tests/index.js
 ```
 
 or with npm
@@ -20,11 +20,17 @@ npm test
 
 ## How the tests work
 
-The output from the tests is captured into a snapshot ([tests/snapshots/index.js.md](snapshots/index.js.md)). It includes all requests sent by our scripts to verify it's working correctly and to prevent regressions.
+The output from the tests is captured into a snapshot ([tests/index.js.snapshot](index.js.snapshot)). It includes all requests sent by our scripts to verify it's working correctly and to prevent regressions.
+
+To update snapshots after an intentional change:
+
+```
+node --test --test-update-snapshots tests/index.js
+```
 
 ## How to add a new test
 
 We have tests both for the `main.js` and `post.js` scripts.
 
 - If you do not expect an error, take [main-token-permissions-set.test.js](tests/main-token-permissions-set.test.js) as a starting point.
-- If your test has an expected error, take [main-missing-app-id.test.js](tests/main-missing-app-id.test.js) as a starting point.
+- If your test has an expected error, take [main-missing-client-and-app-id.test.js](tests/main-missing-client-and-app-id.test.js) as a starting point.

tests/index.js

@@ -1,15 +1,23 @@
 import { readdirSync } from "node:fs";
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
 
-import test from "ava";
-import { execa } from "execa";
+import { snapshot, test } from "node:test";
+
+const execFileAsync = promisify(execFile);
+
+// Serialize strings as-is so multiline output is human-readable in snapshots
+snapshot.setDefaultSnapshotSerializers([
+  (value) => (typeof value === "string" ? value : undefined),
+]);
 
 // Get all files in tests directory
 const files = readdirSync("tests");
 
 // Files to ignore
-const ignore = ["index.js", "main.js", "README.md", "snapshots"];
+const ignore = ["index.js", "index.js.snapshot", "main.js", "README.md"];
 
-const testFiles = files.filter((file) => !ignore.includes(file));
+const testFiles = files.filter((file) => !ignore.includes(file)).sort();
 
 // Throw an error if there is a file that does not end with test.js in the tests directory
 for (const file of testFiles) {
@@ -18,12 +26,31 @@ for (const file of testFiles) {
   }
   test(file, async (t) => {
     // Override Actions environment variables that change `core`’s behavior
-    const env = {
-      GITHUB_OUTPUT: undefined,
-      GITHUB_STATE: undefined,
-    };
-    const { stderr, stdout } = await execa("node", [`tests/${file}`], { env });
-    t.snapshot(stderr, "stderr");
-    t.snapshot(stdout, "stdout");
+    const {
+      GITHUB_OUTPUT,
+      GITHUB_STATE,
+      HTTP_PROXY,
+      HTTPS_PROXY,
+      http_proxy,
+      https_proxy,
+      NO_PROXY,
+      no_proxy,
+      NODE_OPTIONS,
+      NODE_USE_ENV_PROXY,
+      ...env
+    } = process.env;
+    const { stderr, stdout } = await execFileAsync("node", [`tests/${file}`], {
+      env,
+    });
+    const trimmedStderr = stderr.replace(/\r?\n$/, "");
+    const trimmedStdout = stdout.replace(/\r?\n$/, "");
+    await t.test("stderr", (t) => {
+      if (trimmedStderr) t.assert.snapshot(trimmedStderr);
+      else t.assert.strictEqual(trimmedStderr, "");
+    });
+    await t.test("stdout", (t) => {
+      if (trimmedStdout) t.assert.snapshot(trimmedStdout);
+      else t.assert.strictEqual(trimmedStdout, "");
+    });
   });
 }

tests/index.js.snapshot

@@ -0,0 +1,308 @@
+exports[`action-deprecated-inputs.test.js > stdout 1`] = `
+app-id — Use 'client-id' instead.
+`;
+
+exports[`main-client-id.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-custom-github-api-url.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/create-github-app-token
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /api/v3/repos/actions/create-github-app-token/installation
+POST /api/v3/app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-missing-client-and-app-id.test.js > stderr 1`] = `
+Error: Either 'client-id' or 'app-id' input must be set
+    at run (file:///home/runner/work/create-github-app-token/create-github-app-token/main.js:23:11)
+    at file:///home/runner/work/create-github-app-token/create-github-app-token/main.js:51:16
+    at ModuleJob.run (node:internal/modules/esm/module_job:430:25)
+    at async onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:661:26)
+    at async file:///home/runner/work/create-github-app-token/create-github-app-token/tests/main-missing-client-and-app-id.test.js:12:30
+`;
+
+exports[`main-missing-client-and-app-id.test.js > stdout 1`] = `
+::error::Either 'client-id' or 'app-id' input must be set
+`;
+
+exports[`main-missing-owner.test.js > stderr 1`] = `
+GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'
+`;
+
+exports[`main-missing-repository.test.js > stderr 1`] = `
+GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'
+`;
+
+exports[`main-private-key-with-escaped-newlines.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-proxy-requires-native-support.test.js > stderr 1`] = `
+A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.
+`;
+
+exports[`main-proxy-requires-native-support.test.js > stdout 1`] = `
+::error::A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.
+`;
+
+exports[`main-repo-skew.test.js > stderr 1`] = `
+'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued.
+[@octokit/auth-app] GitHub API time and system time are different by 30 seconds. Retrying request with the difference accounted for.
+`;
+
+exports[`main-repo-skew.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/failed-repo
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/failed-repo/installation
+GET /repos/actions/failed-repo/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["failed-repo"]}
+`;
+
+exports[`main-token-get-owner-set-fail-response.test.js > stdout 1`] = `
+Input 'repositories' is not set. Creating token for all repositories owned by smockle.
+Failed to create token for "smockle" (attempt 1): GitHub API not available
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /users/smockle/installation
+GET /users/smockle/installation
+POST /app/installations/123456/access_tokens
+null
+`;
+
+exports[`main-token-get-owner-set-repo-fail-response.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/failed-repo
+Failed to create token for "failed-repo" (attempt 1): GitHub API not available
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/failed-repo/installation
+GET /repos/actions/failed-repo/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["failed-repo"]}
+`;
+
+exports[`main-token-get-owner-set-repo-set-to-many-newline.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/create-github-app-token
+- actions/toolkit
+- actions/checkout
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token","toolkit","checkout"]}
+`;
+
+exports[`main-token-get-owner-set-repo-set-to-many.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/create-github-app-token
+- actions/toolkit
+- actions/checkout
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token","toolkit","checkout"]}
+`;
+
+exports[`main-token-get-owner-set-repo-set-to-one.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/create-github-app-token
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-token-get-owner-set-repo-unset.test.js > stdout 1`] = `
+Input 'repositories' is not set. Creating token for all repositories owned by actions.
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /users/actions/installation
+POST /app/installations/123456/access_tokens
+null
+`;
+
+exports[`main-token-get-owner-unset-repo-set.test.js > stdout 1`] = `
+No 'owner' input provided. Using default owner 'actions' to create token for the following repositories:
+- actions/create-github-app-token
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-token-get-owner-unset-repo-unset.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-token-permissions-set.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"],"permissions":{"issues":"write","pull_requests":"read"}}
+`;
+
+exports[`post-proxy-requires-native-support.test.js > stderr 1`] = `
+A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.
+`;
+
+exports[`post-proxy-requires-native-support.test.js > stdout 1`] = `
+::error::A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.
+`;
+
+exports[`post-revoke-token-fail-response.test.js > stdout 1`] = `
+::warning::Token revocation failed: 
+`;
+
+exports[`post-token-expired.test.js > stdout 1`] = `
+Token expired, skipping token revocation
+`;
+
+exports[`post-token-set.test.js > stdout 1`] = `
+Token revoked
+`;
+
+exports[`post-token-skipped.test.js > stdout 1`] = `
+Token revocation was skipped
+`;
+
+exports[`post-token-unset.test.js > stdout 1`] = `
+Token is not set
+`;

tests/main-client-id.test.js

@@ -0,0 +1,11 @@
+import { DEFAULT_ENV, test } from "./main.js";
+
+// Verify `main` accepts a GitHub App client ID via the `client-id` input
+await test(
+  () => {},
+  {
+    ...DEFAULT_ENV,
+    "INPUT_CLIENT-ID": "Iv1.0123456789abcdef",
+    "INPUT_APP-ID": "",
+  }
+);

tests/main-missing-client-and-app-id.test.js

@@ -0,0 +1,14 @@
+import { DEFAULT_ENV } from "./main.js";
+
+for (const [key, value] of Object.entries({
+  ...DEFAULT_ENV,
+  "INPUT_CLIENT-ID": "",
+  "INPUT_APP-ID": "",
+})) {
+  process.env[key] = value;
+}
+
+// Verify `main` exits with an error when neither `client-id` nor `app-id` is set.
+const { default: promise } = await import("../main.js");
+await promise;
+process.exitCode = 0;

tests/main-proxy-requires-native-support.test.js

@@ -0,0 +1,14 @@
+process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+process.env.GITHUB_REPOSITORY_OWNER = "actions";
+process.env.HTTPS_PROXY = "http://127.0.0.1:3128";
+
+const originalConsoleError = console.error;
+console.error = (...args) => {
+  originalConsoleError(
+    ...args.map((arg) => (arg instanceof Error ? arg.message : arg)),
+  );
+};
+
+await import("../main.js");
+await new Promise((resolve) => setImmediate(resolve));
+process.exitCode = 0;

tests/main-repo-skew.test.js

@@ -1,6 +1,6 @@
-import { test } from "./main.js";
+import { mock } from "node:test";
 
-import { install } from "@sinonjs/fake-timers";
+import { test } from "./main.js";
 
 // Verify `main` retry when the clock has drifted.
 await test((mockPool) => {
@@ -11,7 +11,7 @@ await test((mockPool) => {
   const mockInstallationId = "123456";
   const mockAppSlug = "github-actions";
 
-  install({ now: 0, toFake: ["Date"] });
+  mock.timers.enable({ apis: ["Date"], now: 0 });
 
   mockPool
     .intercept({
@@ -59,4 +59,6 @@ await test((mockPool) => {
       };
     })
     .times(2);
+}).finally(() => {
+  mock.timers.reset();
 });

tests/main-token-permissions-set.test.js

@@ -2,6 +2,6 @@ import { test } from "./main.js";
 
 // Verify `main` successfully sets permissions
 await test(() => {
-  process.env.INPUT_PERMISSION_ISSUES = `write`;
-  process.env.INPUT_PERMISSION_PULL_REQUESTS = `read`;
+  process.env["INPUT_PERMISSION-ISSUES"] = `write`;
+  process.env["INPUT_PERMISSION-PULL-REQUESTS"] = `read`;
 });

tests/main.js

@@ -8,6 +8,7 @@ export const DEFAULT_ENV = {
   // inputs are set as environment variables with the prefix INPUT_
   // https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
   "INPUT_GITHUB-API-URL": "https://api.github.com",
+  "INPUT_SKIP-TOKEN-REVOKE": "false",
   "INPUT_APP-ID": "123456",
   // This key is invalidated. It’s from https://github.com/octokit/auth-app.js/issues/465#issuecomment-1564998327.
   "INPUT_PRIVATE-KEY": `-----BEGIN RSA PRIVATE KEY-----
@@ -37,6 +38,8 @@ so0tiQKBgGQXZaxaXhYUcxYHuCkQ3V4Vsj3ezlM92xXlP32SGFm3KgFhYy9kATxw
 Cax1ytZzvlrKLQyQFVK1COs2rHt7W4cJ7op7C8zXfsigXCiejnS664oAuX8sQZID
 x3WQZRiXlWejSMUAHuMwXrhGlltF3lw83+xAjnqsVp75kGS6OH61
 -----END RSA PRIVATE KEY-----`,
+  // The Actions runner sets all inputs to empty strings if not set.
+  "INPUT_PERMISSION-ADMINISTRATION": "",
 };
 
 export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
@@ -60,7 +63,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
   const owner = env.INPUT_OWNER ?? env.GITHUB_REPOSITORY_OWNER;
   const currentRepoName = env.GITHUB_REPOSITORY.split("/")[1];
   const repo = encodeURIComponent(
-    (env.INPUT_REPOSITORIES ?? currentRepoName).split(",")[0],
+    (env.INPUT_REPOSITORIES ?? currentRepoName).split(",")[0]
   );
 
   mockPool
@@ -76,7 +79,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
     .reply(
       200,
       { id: mockInstallationId, app_slug: mockAppSlug },
-      { headers: { "content-type": "application/json" } },
+      { headers: { "content-type": "application/json" } }
     );
 
   // Mock installation access token request
@@ -97,7 +100,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
     .reply(
       201,
       { token: mockInstallationAccessToken, expires_at: mockExpiresAt },
-      { headers: { "content-type": "application/json" } },
+      { headers: { "content-type": "application/json" } }
     );
 
   // Run the callback

tests/post-proxy-requires-native-support.test.js

@@ -0,0 +1,13 @@
+process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+process.env.HTTPS_PROXY = "http://127.0.0.1:3128";
+
+const originalConsoleError = console.error;
+console.error = (...args) => {
+  originalConsoleError(
+    ...args.map((arg) => (arg instanceof Error ? arg.message : arg)),
+  );
+};
+
+await import("../post.js");
+await new Promise((resolve) => setImmediate(resolve));
+process.exitCode = 0;

tests/post-revoke-token-fail-response.test.js

@@ -7,6 +7,7 @@ process.env.STATE_token = "secret123";
 // inputs are set as environment variables with the prefix INPUT_
 // https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
 process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
 
 // 1 hour in the future, not expired
 process.env.STATE_expiresAt = new Date(

tests/post-token-expired.test.js

@@ -7,6 +7,10 @@ process.env.STATE_token = "secret123";
 // 1 hour in the past, expired
 process.env.STATE_expiresAt = new Date(Date.now() - 1000 * 60 * 60).toISOString();
 
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
+
 const mockAgent = new MockAgent();
 
 setGlobalDispatcher(mockAgent);

tests/post-token-set.test.js

@@ -7,6 +7,7 @@ process.env.STATE_token = "secret123";
 // inputs are set as environment variables with the prefix INPUT_
 // https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
 process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
 
 // 1 hour in the future, not expired
 process.env.STATE_expiresAt = new Date(Date.now() + 1000 * 60 * 60).toISOString();

tests/post-token-unset.test.js

@@ -2,4 +2,8 @@
 // https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
 delete process.env.STATE_token;
 
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
+
 await import("../post.js");

tests/snapshots/index.js.md

@@ -1,384 +0,0 @@
-# Snapshot report for `tests/index.js`
-
-The actual snapshot is saved in `index.js.snap`.
-
-Generated by [AVA](https://avajs.dev).
-
-## action-deprecated-inputs.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    ''
-
-## main-custom-github-api-url.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
-          ␊
-    - actions/create-github-app-token␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /api/v3/repos/actions/create-github-app-token/installation␊
-    POST /api/v3/app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token"]}`
-
-## main-missing-owner.test.js
-
-> stderr
-
-    'GITHUB_REPOSITORY_OWNER missing, must be set to \'<owner>\''
-
-> stdout
-
-    ''
-
-## main-missing-repository.test.js
-
-> stderr
-
-    'GITHUB_REPOSITORY missing, must be set to \'<owner>/<repo>\''
-
-> stdout
-
-    ''
-
-## main-private-key-with-escaped-newlines.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/create-github-app-token/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token"]}`
-
-## main-repo-skew.test.js
-
-> stderr
-
-    `'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued.␊
-    [@octokit/auth-app] GitHub API time and system time are different by 30 seconds. Retrying request with the difference accounted for.`
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
-          ␊
-    - actions/failed-repo␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/failed-repo/installation␊
-    GET /repos/actions/failed-repo/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["failed-repo"]}`
-
-## main-token-get-owner-set-fail-response.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Input 'repositories' is not set. Creating token for all repositories owned by smockle.␊
-    Failed to create token for "smockle" (attempt 1): GitHub API not available␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /users/smockle/installation␊
-    GET /users/smockle/installation␊
-    POST /app/installations/123456/access_tokens␊
-    null`
-
-## main-token-get-owner-set-repo-fail-response.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
-          ␊
-    - actions/failed-repo␊
-    Failed to create token for "failed-repo" (attempt 1): GitHub API not available␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/failed-repo/installation␊
-    GET /repos/actions/failed-repo/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["failed-repo"]}`
-
-## main-token-get-owner-set-repo-set-to-many-newline.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
-          ␊
-    - actions/create-github-app-token␊
-    - actions/toolkit␊
-    - actions/checkout␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/create-github-app-token/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token","toolkit","checkout"]}`
-
-## main-token-get-owner-set-repo-set-to-many.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
-          ␊
-    - actions/create-github-app-token␊
-    - actions/toolkit␊
-    - actions/checkout␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/create-github-app-token/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token","toolkit","checkout"]}`
-
-## main-token-get-owner-set-repo-set-to-one.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:␊
-          ␊
-    - actions/create-github-app-token␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/create-github-app-token/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token"]}`
-
-## main-token-get-owner-set-repo-unset.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Input 'repositories' is not set. Creating token for all repositories owned by actions.␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /users/actions/installation␊
-    POST /app/installations/123456/access_tokens␊
-    null`
-
-## main-token-get-owner-unset-repo-set.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `No 'owner' input provided. Using default owner 'actions' to create token for the following repositories:␊
-    - actions/create-github-app-token␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/create-github-app-token/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token"]}`
-
-## main-token-get-owner-unset-repo-unset.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/create-github-app-token/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token"]}`
-
-## main-token-permissions-set.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).␊
-    ::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ␊
-    ::set-output name=installation-id::123456␊
-    ␊
-    ::set-output name=app-slug::github-actions␊
-    ::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a␊
-    ::save-state name=expiresAt::2016-07-11T22:14:10Z␊
-    --- REQUESTS ---␊
-    GET /repos/actions/create-github-app-token/installation␊
-    POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token"],"permissions":{"issues":"write","pull_requests":"read"}}`
-
-## post-revoke-token-fail-response.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    '::warning::Token revocation failed: '
-
-## post-token-expired.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    'Token expired, skipping token revocation'
-
-## post-token-set.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    'Token revoked'
-
-## post-token-skipped.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    'Token revocation was skipped'
-
-## post-token-unset.test.js
-
-> stderr
-
-    ''
-
-> stdout
-
-    'Token is not set'