build(release): 3.0.0-beta.3 [skip ci]

# [3.0.0-beta.3](https://github.com/actions/create-github-app-token/compare/v3.0.0-beta.2...v3.0.0-beta.3) (2026-03-13) ### Bug Fixes * require `NODE_USE_ENV_PROXY` for proxy support ([#342](https://github.com/actions/create-github-app-token/issues/342)) ([54e58b6](https://github.com/actions/create-github-app-token/commit/54e58b612c0c4e52564c3c87486532017ad95b22))
fix: require NODE_USE_ENV_PROXY for proxy support (#342 )
2026-03-13 06:19:27 +00:00 · 2026-03-12 23:18:56 -07:00 · 2025-08-22 19:16:51 +00:00 · 2025-08-22 12:16:16 -07:00 · 2025-08-15 13:03:02 -07:00
14 changed files with 455 additions and 42963 deletions
@@ -4,6 +4,7 @@ on:
  push:
    branches:
      - main
+      - beta
  pull_request:
  workflow_dispatch:

@@ -33,7 +34,7 @@ jobs:
    name: End-to-End
    runs-on: ubuntu-latest
    # do not run from forks, as forks don’t have access to repository secrets
-    if: github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-node@v4
@@ -54,3 +55,28 @@ jobs:
        with:
          route: GET /installation/repositories
      - run: echo '${{ steps.get-repository.outputs.data }}'
+
+  end-to-end-proxy:
+    name: End-to-End with unreachable proxy
+    runs-on: ubuntu-latest
+    # do not run from forks, as forks don’t have access to repository secrets
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: 'npm'
+      - run: npm ci
+      - run: npm run build
+      - uses: ./ # Uses the action in the root directory
+        continue-on-error: true
+        id: test
+        env:
+          NODE_USE_ENV_PROXY: "1"
+          https_proxy: http://127.0.0.1:9
+        with:
+          app-id: ${{ vars.TEST_APP_ID }}
+          private-key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
+      - name: Assert action failed through unreachable proxy
+        run: test "${{ steps.test.outcome }}" = "failure"
@@ -296,6 +296,24 @@ jobs:
          GITHUB_TOKEN: ${{ steps.create_token.outputs.token }}
 ```

+### Proxy support
+
+This action relies on Node.js native proxy support.
+
+If you set `HTTP_PROXY` or `HTTPS_PROXY`, also set `NODE_USE_ENV_PROXY: "1"` on the action step so Node.js honors those variables. If you need proxy bypass rules, set `NO_PROXY` alongside them.
+
+```yaml
+- uses: actions/create-github-app-token@v3
+  id: app-token
+  env:
+    HTTPS_PROXY: http://proxy.example.com:8080
+    NO_PROXY: github.example.com
+    NODE_USE_ENV_PROXY: "1"
+  with:
+    app-id: ${{ vars.APP_ID }}
+    private-key: ${{ secrets.PRIVATE_KEY }}
+```
+
 ## Inputs

 ### `app-id`
@@ -1,41 +1,36 @@
 import core from "@actions/core";
 import { request } from "@octokit/request";
-import { ProxyAgent, fetch as undiciFetch } from "undici";

+// Get the GitHub API URL from the action input and remove any trailing slash
 const baseUrl = core.getInput("github-api-url").replace(/\/$/, "");

-// https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners
-const proxyUrl =
-  process.env.https_proxy ||
-  process.env.HTTPS_PROXY ||
-  process.env.http_proxy ||
-  process.env.HTTP_PROXY;
+const proxyEnvironmentKeys = [
+  "https_proxy",
+  "HTTPS_PROXY",
+  "http_proxy",
+  "HTTP_PROXY",
+];

-/* c8 ignore start */
-// Native support for proxies in Undici is under consideration: https://github.com/nodejs/undici/issues/1650
-// Until then, we need to use a custom fetch function to add proxy support.
-const proxyFetch = (url, options) => {
-  const urlHost = new URL(url).hostname;
-  const noProxy = (process.env.no_proxy || process.env.NO_PROXY || "").split(
-    ",",
-  );
+function proxyEnvironmentConfigured() {
+  return proxyEnvironmentKeys.some((key) => process.env[key]);
+}

-  if (!noProxy.includes(urlHost)) {
-    options = {
-      ...options,
-      dispatcher: new ProxyAgent(String(proxyUrl)),
-    };
+function nativeProxySupportEnabled() {
+  return process.env.NODE_USE_ENV_PROXY === "1";
+}
+
+export function ensureNativeProxySupport() {
+  if (!proxyEnvironmentConfigured() || nativeProxySupportEnabled()) {
+    return;
  }

-  return undiciFetch(url, options);
-};
-/* c8 ignore stop */
+  throw new Error(
+    "A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.",
+  );
+}

+// Configure the default settings for GitHub API requests
 export default request.defaults({
-  headers: {
-    "user-agent": "actions/create-github-app-token",
-  },
+  headers: { "user-agent": "actions/create-github-app-token" },
  baseUrl,
-  /* c8 ignore next */
-  request: proxyUrl ? { fetch: proxyFetch } : {},
 });
@@ -5,7 +5,7 @@ import { createAppAuth } from "@octokit/auth-app";

 import { getPermissionsFromInputs } from "./lib/get-permissions-from-inputs.js";
 import { main } from "./lib/main.js";
-import request from "./lib/request.js";
+import request, { ensureNativeProxySupport } from "./lib/request.js";

 if (!process.env.GITHUB_REPOSITORY) {
  throw new Error("GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'");
@@ -15,31 +15,37 @@ if (!process.env.GITHUB_REPOSITORY_OWNER) {
  throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
 }

-const appId = core.getInput("app-id");
-const privateKey = core.getInput("private-key");
-const owner = core.getInput("owner");
-const repositories = core
-  .getInput("repositories")
-  .split(/[\n,]+/)
-  .map((s) => s.trim())
-  .filter((x) => x !== "");
+async function run() {
+  ensureNativeProxySupport();

-const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
+  const appId = core.getInput("app-id");
+  const privateKey = core.getInput("private-key");
+  const owner = core.getInput("owner");
+  const repositories = core
+    .getInput("repositories")
+    .split(/[\n,]+/)
+    .map((s) => s.trim())
+    .filter((x) => x !== "");

-const permissions = getPermissionsFromInputs(process.env);
+  const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
+
+  const permissions = getPermissionsFromInputs(process.env);
+
+  return main(
+    appId,
+    privateKey,
+    owner,
+    repositories,
+    permissions,
+    core,
+    createAppAuth,
+    request,
+    skipTokenRevoke,
+  );
+}

 // Export promise for testing
-export default main(
-  appId,
-  privateKey,
-  owner,
-  repositories,
-  permissions,
-  core,
-  createAppAuth,
-  request,
-  skipTokenRevoke,
-).catch((error) => {
+export default run().catch((error) => {
  /* c8 ignore next 3 */
  console.error(error);
  core.setFailed(error.message);
@@ -1,19 +1,18 @@
 {
  "name": "create-github-app-token",
-  "version": "3.0.0-beta.1",
+  "version": "3.0.0-beta.3",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "create-github-app-token",
-      "version": "3.0.0-beta.1",
+      "version": "3.0.0-beta.3",
      "license": "MIT",
      "dependencies": {
        "@actions/core": "^1.11.1",
        "@octokit/auth-app": "^7.2.1",
        "@octokit/request": "^9.2.2",
-        "p-retry": "^6.2.1",
-        "undici": "^7.8.0"
+        "p-retry": "^6.2.1"
      },
      "devDependencies": {
        "@octokit/openapi": "^19.1.0",
@@ -24,6 +23,7 @@
        "esbuild": "^0.25.8",
        "execa": "^9.6.0",
        "open-cli": "^8.0.0",
+        "undici": "^7.13.0",
        "yaml": "^2.8.1"
      },
      "engines": {
@@ -3817,6 +3817,7 @@
      "version": "7.13.0",
      "resolved": "https://registry.npmjs.org/undici/-/undici-7.13.0.tgz",
      "integrity": "sha512-l+zSMssRqrzDcb3fjMkjjLGmuiiK2pMIcV++mJaAc9vhjSGpvM7h43QgP+OAMb1GImHmbPyG2tBXeuyG5iY4gA==",
+      "dev": true,
      "license": "MIT",
      "engines": {
        "node": ">=20.18.1"
@@ -2,7 +2,7 @@
  "name": "create-github-app-token",
  "private": true,
  "type": "module",
-  "version": "3.0.0-beta.1",
+  "version": "3.0.0-beta.3",
  "description": "GitHub Action for creating a GitHub App Installation Access Token",
  "engines": {
    "node": ">=24.4.0"
@@ -18,8 +18,7 @@
    "@actions/core": "^1.11.1",
    "@octokit/auth-app": "^7.2.1",
    "@octokit/request": "^9.2.2",
-    "p-retry": "^6.2.1",
-    "undici": "^7.8.0"
+    "p-retry": "^6.2.1"
  },
  "devDependencies": {
    "@octokit/openapi": "^19.1.0",
@@ -30,6 +29,7 @@
    "esbuild": "^0.25.8",
    "execa": "^9.6.0",
    "open-cli": "^8.0.0",
+    "undici": "^7.13.0",
    "yaml": "^2.8.1"
  },
  "release": {
@@ -46,7 +46,6 @@
      "@semantic-release/release-notes-generator",
      "@semantic-release/github",
      "@semantic-release/npm",
-      "semantic-release-plugin-github-breaking-version-tag",
      [
        "@semantic-release/git",
        {
@@ -3,9 +3,15 @@
 import core from "@actions/core";

 import { post } from "./lib/post.js";
-import request from "./lib/request.js";
+import request, { ensureNativeProxySupport } from "./lib/request.js";

-post(core, request).catch((error) => {
+async function run() {
+  ensureNativeProxySupport();
+
+  return post(core, request);
+}
+
+run().catch((error) => {
  /* c8 ignore next 3 */
  console.error(error);
  core.setFailed(error.message);
@@ -21,6 +21,14 @@ for (const file of testFiles) {
    const env = {
      GITHUB_OUTPUT: undefined,
      GITHUB_STATE: undefined,
+      HTTP_PROXY: undefined,
+      HTTPS_PROXY: undefined,
+      http_proxy: undefined,
+      https_proxy: undefined,
+      NO_PROXY: undefined,
+      no_proxy: undefined,
+      NODE_OPTIONS: undefined,
+      NODE_USE_ENV_PROXY: undefined,
    };
    const { stderr, stdout } = await execa("node", [`tests/${file}`], { env });
    t.snapshot(stderr, "stderr");
@@ -0,0 +1,14 @@
+process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+process.env.GITHUB_REPOSITORY_OWNER = "actions";
+process.env.HTTPS_PROXY = "http://127.0.0.1:3128";
+
+const originalConsoleError = console.error;
+console.error = (...args) => {
+  originalConsoleError(
+    ...args.map((arg) => (arg instanceof Error ? arg.message : arg)),
+  );
+};
+
+await import("../main.js");
+await new Promise((resolve) => setImmediate(resolve));
+process.exitCode = 0;
@@ -0,0 +1,13 @@
+process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+process.env.HTTPS_PROXY = "http://127.0.0.1:3128";
+
+const originalConsoleError = console.error;
+console.error = (...args) => {
+  originalConsoleError(
+    ...args.map((arg) => (arg instanceof Error ? arg.message : arg)),
+  );
+};
+
+await import("../post.js");
+await new Promise((resolve) => setImmediate(resolve));
+process.exitCode = 0;
@@ -82,6 +82,16 @@ Generated by [AVA](https://avajs.dev).
    POST /app/installations/123456/access_tokens␊
    {"repositories":["create-github-app-token"]}`

+## main-proxy-requires-native-support.test.js
+
+> stderr
+
+    'A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.'
+
+> stdout
+
+    '::error::A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.'
+
 ## main-repo-skew.test.js

 > stderr
@@ -333,6 +343,16 @@ Generated by [AVA](https://avajs.dev).
    POST /app/installations/123456/access_tokens␊
    {"repositories":["create-github-app-token"],"permissions":{"issues":"write","pull_requests":"read"}}`

+## post-proxy-requires-native-support.test.js
+
+> stderr
+
+    'A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.'
+
+> stdout
+
+    '::error::A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.'
+
 ## post-revoke-token-fail-response.test.js

 > stderr
Author	SHA1	Message	Date
semantic-release-bot	d28ad69b67	build(release): 3.0.0-beta.3 [skip ci] # [3.0.0-beta.3](https://github.com/actions/create-github-app-token/compare/v3.0.0-beta.2...v3.0.0-beta.3) (2026-03-13) ### Bug Fixes * require `NODE_USE_ENV_PROXY` for proxy support ([#342](https://github.com/actions/create-github-app-token/issues/342)) ([`54e58b6`](https://github.com/actions/create-github-app-token/commit/54e58b612c0c4e52564c3c87486532017ad95b22))	2026-03-13 06:19:27 +00:00
Parker Brown	54e58b612c	fix: require `NODE_USE_ENV_PROXY` for proxy support (#342 ) This PR switches proxy support to Node's native env-proxy handling and makes the required configuration explicit. ## What changed - fail fast in both `main` and `post` when proxy configuration is present without `NODE_USE_ENV_PROXY=1` - document the supported proxy configuration in `README.md` - add regression tests for the proxy guard in both entrypoints - keep the existing successful end-to-end coverage and add a smaller proxy-specific workflow check that enables native proxy support, points `https_proxy` at an unreachable proxy, and asserts the action fails - update the test workflow so the same checks also run on pushes to `beta` ## Proxy configuration When using `HTTP_PROXY` or `HTTPS_PROXY`, set `NODE_USE_ENV_PROXY=1` on the action step. If you need bypass rules, set `NO_PROXY` alongside them. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-03-12 23:18:56 -07:00
semantic-release-bot	bf559f8544	build(release): 3.0.0-beta.2 [skip ci] # [3.0.0-beta.2](https://github.com/actions/create-github-app-token/compare/v3.0.0-beta.1...v3.0.0-beta.2) (2025-08-22) ### Bug Fixes * remove custom proxy handling ([#143](https://github.com/actions/create-github-app-token/issues/143)) ([`cda91bf`](https://github.com/actions/create-github-app-token/commit/cda91bf2b93cf1d3306b458b2a4f7fcd9de9175f)), closes [#134](https://github.com/actions/create-github-app-token/issues/134)	2025-08-22 19:16:51 +00:00
Parker Brown	cda91bf2b9	fix: remove custom proxy handling (#143 ) Undici has added native support for proxy handling, so it is no longer necessary for us to have our own custom proxy handling. Reverts #102 and resolves #134.	2025-08-22 12:16:16 -07:00
Parker Brown	2ae58da528	Disable semantic-release-plugin-github-breaking-version-tag https://github.com/gr2m/semantic-release-plugin-update-version-in-files/issues/52	2025-08-15 13:03:02 -07:00