build(release): 3.0.0-beta.1 [skip ci]

# [3.0.0-beta.1](https://github.com/actions/create-github-app-token/compare/v2.1.1...v3.0.0-beta.1) (2025-08-15)

* feat!: node 24 support ([#275](https://github.com/actions/create-github-app-token/issues/275)) ([6178938](https://github.com/actions/create-github-app-token/commit/61789386cb26150ab580cab449a9ae053bb9fd24))

### BREAKING CHANGES

* Requires [Actions Runner v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) or later if you are using a self-hosted runner.

.github/workflows/publish-immutable-action.yml

@@ -12,6 +12,6 @@ jobs:
       id-token: write
       packages: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Publish Immutable Action
         uses: actions/publish-immutable-action@v0.0.4

.github/workflows/release.yml

@@ -3,7 +3,9 @@ name: release
 on:
   push:
     branches:
+      - "*.x"
       - main
+      - beta
 
 permissions:
   contents: write
@@ -16,13 +18,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # build local version to create token
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           persist-credentials: false
 
       - uses: actions/setup-node@v4
         with:
-          node-version-file: .node-version
+          node-version-file: package.json
           cache: 'npm'
 
       - run: npm ci

.github/workflows/test.yml

@@ -11,16 +11,19 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   integration:
     name: Integration
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: actions/setup-node@v4
         with:
-          node-version-file: .node-version
+          node-version-file: package.json
           cache: 'npm'
 
       - run: npm ci
@@ -32,11 +35,11 @@ jobs:
     # do not run from forks, as forks don’t have access to repository secrets
     if: github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
-          cache: "npm"
+          node-version-file: package.json
+          cache: 'npm'
       - run: npm ci
       - run: npm run build
       - uses: ./ # Uses the action in the root directory

.github/workflows/update-permission-inputs.yml

@@ -18,16 +18,16 @@ jobs:
   update-permission-inputs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-node@v4
         with:
-          node-version-file: .node-version
+          node-version-file: package.json
           cache: 'npm'
       - name: Install dependencies
         run: npm ci
       - name: Run permission inputs update script
         run: node scripts/update-permission-inputs.js
       - name: Commit changes
-        uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
+        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
         with:
           commit_message: 'feat: update permission inputs'

.node-version

@@ -1 +0,0 @@
-20.9.0

README.md

@@ -8,9 +8,9 @@ GitHub Action for creating a GitHub App installation access token.
 
 In order to use this action, you need to:
 
-1. [Register new GitHub App](https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app)
-2. [Store the App's ID in your repository environment variables](https://docs.github.com/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_ID`)
-3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets?tool=webui#creating-encrypted-secrets-for-a-repository) (example: `PRIVATE_KEY`)
+1. [Register new GitHub App](https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app).
+2. [Store the App's ID or Client ID in your repository environment variables](https://docs.github.com/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_ID`).
+3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets?tool=webui#creating-encrypted-secrets-for-a-repository) (example: `PRIVATE_KEY`).
 
 > [!IMPORTANT]  
 > An installation access token expires after 1 hour. Please [see this comment](https://github.com/actions/create-github-app-token/issues/121#issuecomment-2043214796) for alternative approaches if you have long-running processes.
@@ -28,7 +28,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -47,13 +47,13 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           # required
           app-id: ${{ vars.APP_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ steps.app-token.outputs.token }}
           ref: ${{ github.head_ref }}
@@ -73,7 +73,7 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           # required
@@ -98,7 +98,7 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           # required
@@ -135,7 +135,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -157,7 +157,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -182,7 +182,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -207,7 +207,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -249,7 +249,7 @@ jobs:
         owners-and-repos: ${{ fromJson(needs.set-matrix.outputs.matrix) }}
 
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -279,7 +279,7 @@ jobs:
     steps:
       - name: Create GitHub App token
         id: create_token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@v3
         with:
           app-id: ${{ vars.GHES_APP_ID }}
           private-key: ${{ secrets.GHES_APP_PRIVATE_KEY }}
@@ -318,7 +318,7 @@ steps:
       echo "private-key=$private_key" >> "$GITHUB_OUTPUT"
   - name: Generate GitHub App Token
     id: app-token
-    uses: actions/create-github-app-token@v2
+    uses: actions/create-github-app-token@v3
     with:
       app-id: ${{ vars.APP_ID }}
       private-key: ${{ steps.decode.outputs.private-key }}

action.yml

@@ -132,6 +132,6 @@ outputs:
   app-slug:
     description: "GitHub App slug"
 runs:
-  using: "node20"
+  using: "node24"
   main: "dist/main.cjs"
   post: "dist/post.cjs"

lib/get-permissions-from-inputs.js

@@ -7,9 +7,13 @@
  */
 export function getPermissionsFromInputs(env) {
   return Object.entries(env).reduce((permissions, [key, value]) => {
-    if (!key.startsWith("INPUT_PERMISSION_")) return permissions;
+    if (!key.startsWith("INPUT_PERMISSION-")) return permissions;
+    if (!value) return permissions;
 
-    const permission = key.slice("INPUT_PERMISSION_".length).toLowerCase();
+    const permission = key.slice("INPUT_PERMISSION-".length).toLowerCase()
+      .replaceAll(/-/g, "_");
+
+    // Inherit app permissions if no permissions inputs are set
     if (permissions === undefined) {
       return { [permission]: value };
     }

lib/main.js

@@ -89,6 +89,7 @@ export async function main(
           permissions
         ),
       {
+        shouldRetry: (error) => error.status >= 500,
         onFailedAttempt: (error) => {
           core.info(
             `Failed to create token for "${parsedRepositoryNames.join(

package.json

@@ -2,10 +2,13 @@
   "name": "create-github-app-token",
   "private": true,
   "type": "module",
-  "version": "2.0.3",
+  "version": "3.0.0-beta.1",
   "description": "GitHub Action for creating a GitHub App Installation Access Token",
+  "engines": {
+    "node": ">=24.4.0"
+  },
   "scripts": {
-    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0 --packages=bundle",
+    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --packages=bundle",
     "test": "c8 --100 ava tests/index.js",
     "coverage": "c8 report --reporter html",
     "postcoverage": "open-cli coverage/index.html"
@@ -13,26 +16,30 @@
   "license": "MIT",
   "dependencies": {
     "@actions/core": "^1.11.1",
-    "@octokit/auth-app": "^7.2.0",
+    "@octokit/auth-app": "^7.2.1",
     "@octokit/request": "^9.2.2",
     "p-retry": "^6.2.1",
-    "undici": "^7.7.0"
+    "undici": "^7.8.0"
   },
   "devDependencies": {
-    "@octokit/openapi": "^18.2.0",
+    "@octokit/openapi": "^19.1.0",
     "@sinonjs/fake-timers": "^14.0.0",
-    "ava": "^6.2.0",
+    "ava": "^6.4.1",
     "c8": "^10.1.3",
-    "dotenv": "^16.4.7",
-    "esbuild": "^0.25.2",
-    "execa": "^9.5.2",
+    "dotenv": "^17.2.1",
+    "esbuild": "^0.25.8",
+    "execa": "^9.6.0",
     "open-cli": "^8.0.0",
-    "yaml": "^2.7.1"
+    "yaml": "^2.8.1"
   },
   "release": {
     "branches": [
       "+([0-9]).x",
-      "main"
+      "main",
+      {
+        "name": "beta",
+        "prerelease": true
+      }
     ],
     "plugins": [
       "@semantic-release/commit-analyzer",

tests/main-token-permissions-set.test.js

@@ -2,6 +2,6 @@ import { test } from "./main.js";
 
 // Verify `main` successfully sets permissions
 await test(() => {
-  process.env.INPUT_PERMISSION_ISSUES = `write`;
-  process.env.INPUT_PERMISSION_PULL_REQUESTS = `read`;
+  process.env["INPUT_PERMISSION-ISSUES"] = `write`;
+  process.env["INPUT_PERMISSION-PULL-REQUESTS"] = `read`;
 });

tests/main.js

@@ -38,6 +38,8 @@ so0tiQKBgGQXZaxaXhYUcxYHuCkQ3V4Vsj3ezlM92xXlP32SGFm3KgFhYy9kATxw
 Cax1ytZzvlrKLQyQFVK1COs2rHt7W4cJ7op7C8zXfsigXCiejnS664oAuX8sQZID
 x3WQZRiXlWejSMUAHuMwXrhGlltF3lw83+xAjnqsVp75kGS6OH61
 -----END RSA PRIVATE KEY-----`,
+  // The Actions runner sets all inputs to empty strings if not set.
+  "INPUT_PERMISSION-ADMINISTRATION": "",
 };
 
 export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
@@ -61,7 +63,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
   const owner = env.INPUT_OWNER ?? env.GITHUB_REPOSITORY_OWNER;
   const currentRepoName = env.GITHUB_REPOSITORY.split("/")[1];
   const repo = encodeURIComponent(
-    (env.INPUT_REPOSITORIES ?? currentRepoName).split(",")[0],
+    (env.INPUT_REPOSITORIES ?? currentRepoName).split(",")[0]
   );
 
   mockPool
@@ -77,7 +79,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
     .reply(
       200,
       { id: mockInstallationId, app_slug: mockAppSlug },
-      { headers: { "content-type": "application/json" } },
+      { headers: { "content-type": "application/json" } }
     );
 
   // Mock installation access token request
@@ -98,7 +100,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
     .reply(
       201,
       { token: mockInstallationAccessToken, expires_at: mockExpiresAt },
-      { headers: { "content-type": "application/json" } },
+      { headers: { "content-type": "application/json" } }
     );
 
   // Run the callback