build(release): 2.1.4 [skip ci]

## [2.1.4](https://github.com/actions/create-github-app-token/compare/v2.1.3...v2.1.4) (2025-09-13)

### Bug Fixes

* **deps:** bump @octokit/auth-app from 7.2.1 to 8.0.1 ([#257](https://github.com/actions/create-github-app-token/issues/257)) ([bef1eaf](https://github.com/actions/create-github-app-token/commit/bef1eaf1c0ac2b148ee2a0a74c65fbe6db0631f1))

.github/workflows/release.yml

@@ -24,7 +24,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version-file: package.json
+          node-version-file: .node-version
           cache: 'npm'
 
       - run: npm ci

.github/workflows/test.yml

@@ -4,7 +4,6 @@ on:
   push:
     branches:
       - main
-      - beta
   pull_request:
   workflow_dispatch:
 
@@ -24,7 +23,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version-file: package.json
+          node-version-file: .node-version
           cache: 'npm'
 
       - run: npm ci
@@ -34,13 +33,13 @@ jobs:
     name: End-to-End
     runs-on: ubuntu-latest
     # do not run from forks, as forks don’t have access to repository secrets
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
+    if: github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
     steps:
       - uses: actions/checkout@v5
       - uses: actions/setup-node@v4
         with:
-          node-version-file: package.json
-          cache: 'npm'
+          node-version: 20
+          cache: "npm"
       - run: npm ci
       - run: npm run build
       - uses: ./ # Uses the action in the root directory
@@ -55,28 +54,3 @@ jobs:
         with:
           route: GET /installation/repositories
       - run: echo '${{ steps.get-repository.outputs.data }}'
-
-  end-to-end-proxy:
-    name: End-to-End with unreachable proxy
-    runs-on: ubuntu-latest
-    # do not run from forks, as forks don’t have access to repository secrets
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: package.json
-          cache: 'npm'
-      - run: npm ci
-      - run: npm run build
-      - uses: ./ # Uses the action in the root directory
-        continue-on-error: true
-        id: test
-        env:
-          NODE_USE_ENV_PROXY: "1"
-          https_proxy: http://127.0.0.1:9
-        with:
-          app-id: ${{ vars.TEST_APP_ID }}
-          private-key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
-      - name: Assert action failed through unreachable proxy
-        run: test "${{ steps.test.outcome }}" = "failure"

.github/workflows/update-permission-inputs.yml

@@ -21,13 +21,13 @@ jobs:
       - uses: actions/checkout@v5
       - uses: actions/setup-node@v4
         with:
-          node-version-file: package.json
+          node-version-file: .node-version
           cache: 'npm'
       - name: Install dependencies
         run: npm ci
       - name: Run permission inputs update script
         run: node scripts/update-permission-inputs.js
       - name: Commit changes
-        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
+        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
         with:
           commit_message: 'feat: update permission inputs'

.node-version

@@ -0,0 +1 @@
+20.9.0

README.md

@@ -28,7 +28,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v3
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -47,13 +47,13 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v3
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           # required
           app-id: ${{ vars.APP_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           token: ${{ steps.app-token.outputs.token }}
           ref: ${{ github.head_ref }}
@@ -73,7 +73,7 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v3
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           # required
@@ -98,7 +98,7 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v3
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           # required
@@ -135,7 +135,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v3
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -157,7 +157,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v3
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -182,7 +182,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v3
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -207,7 +207,7 @@ jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v3
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -249,7 +249,7 @@ jobs:
         owners-and-repos: ${{ fromJson(needs.set-matrix.outputs.matrix) }}
 
     steps:
-      - uses: actions/create-github-app-token@v3
+      - uses: actions/create-github-app-token@v2
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
@@ -279,7 +279,7 @@ jobs:
     steps:
       - name: Create GitHub App token
         id: create_token
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ vars.GHES_APP_ID }}
           private-key: ${{ secrets.GHES_APP_PRIVATE_KEY }}
@@ -296,24 +296,6 @@ jobs:
           GITHUB_TOKEN: ${{ steps.create_token.outputs.token }}
 ```
 
-### Proxy support
-
-This action relies on Node.js native proxy support.
-
-If you set `HTTP_PROXY` or `HTTPS_PROXY`, also set `NODE_USE_ENV_PROXY: "1"` on the action step so Node.js honors those variables. If you need proxy bypass rules, set `NO_PROXY` alongside them.
-
-```yaml
-- uses: actions/create-github-app-token@v3
-  id: app-token
-  env:
-    HTTPS_PROXY: http://proxy.example.com:8080
-    NO_PROXY: github.example.com
-    NODE_USE_ENV_PROXY: "1"
-  with:
-    app-id: ${{ vars.APP_ID }}
-    private-key: ${{ secrets.PRIVATE_KEY }}
-```
-
 ## Inputs
 
 ### `app-id`
@@ -336,7 +318,7 @@ steps:
       echo "private-key=$private_key" >> "$GITHUB_OUTPUT"
   - name: Generate GitHub App Token
     id: app-token
-    uses: actions/create-github-app-token@v3
+    uses: actions/create-github-app-token@v2
     with:
       app-id: ${{ vars.APP_ID }}
       private-key: ${{ steps.decode.outputs.private-key }}

action.yml

@@ -132,6 +132,6 @@ outputs:
   app-slug:
     description: "GitHub App slug"
 runs:
-  using: "node24"
+  using: "node20"
   main: "dist/main.cjs"
   post: "dist/post.cjs"

lib/request.js

@@ -1,36 +1,41 @@
 import core from "@actions/core";
 import { request } from "@octokit/request";
+import { ProxyAgent, fetch as undiciFetch } from "undici";
 
-// Get the GitHub API URL from the action input and remove any trailing slash
 const baseUrl = core.getInput("github-api-url").replace(/\/$/, "");
 
-const proxyEnvironmentKeys = [
-  "https_proxy",
-  "HTTPS_PROXY",
-  "http_proxy",
-  "HTTP_PROXY",
-];
+// https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/using-a-proxy-server-with-self-hosted-runners
+const proxyUrl =
+  process.env.https_proxy ||
+  process.env.HTTPS_PROXY ||
+  process.env.http_proxy ||
+  process.env.HTTP_PROXY;
 
-function proxyEnvironmentConfigured() {
-  return proxyEnvironmentKeys.some((key) => process.env[key]);
-}
+/* c8 ignore start */
+// Native support for proxies in Undici is under consideration: https://github.com/nodejs/undici/issues/1650
+// Until then, we need to use a custom fetch function to add proxy support.
+const proxyFetch = (url, options) => {
+  const urlHost = new URL(url).hostname;
+  const noProxy = (process.env.no_proxy || process.env.NO_PROXY || "").split(
+    ",",
+  );
 
-function nativeProxySupportEnabled() {
-  return process.env.NODE_USE_ENV_PROXY === "1";
-}
-
-export function ensureNativeProxySupport() {
-  if (!proxyEnvironmentConfigured() || nativeProxySupportEnabled()) {
-    return;
+  if (!noProxy.includes(urlHost)) {
+    options = {
+      ...options,
+      dispatcher: new ProxyAgent(String(proxyUrl)),
+    };
   }
 
-  throw new Error(
-    "A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.",
-  );
-}
+  return undiciFetch(url, options);
+};
+/* c8 ignore stop */
 
-// Configure the default settings for GitHub API requests
 export default request.defaults({
-  headers: { "user-agent": "actions/create-github-app-token" },
+  headers: {
+    "user-agent": "actions/create-github-app-token",
+  },
   baseUrl,
+  /* c8 ignore next */
+  request: proxyUrl ? { fetch: proxyFetch } : {},
 });

main.js

@@ -5,7 +5,7 @@ import { createAppAuth } from "@octokit/auth-app";
 
 import { getPermissionsFromInputs } from "./lib/get-permissions-from-inputs.js";
 import { main } from "./lib/main.js";
-import request, { ensureNativeProxySupport } from "./lib/request.js";
+import request from "./lib/request.js";
 
 if (!process.env.GITHUB_REPOSITORY) {
   throw new Error("GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'");
@@ -15,37 +15,31 @@ if (!process.env.GITHUB_REPOSITORY_OWNER) {
   throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
 }
 
-async function run() {
-  ensureNativeProxySupport();
+const appId = core.getInput("app-id");
+const privateKey = core.getInput("private-key");
+const owner = core.getInput("owner");
+const repositories = core
+  .getInput("repositories")
+  .split(/[\n,]+/)
+  .map((s) => s.trim())
+  .filter((x) => x !== "");
 
-  const appId = core.getInput("app-id");
-  const privateKey = core.getInput("private-key");
-  const owner = core.getInput("owner");
-  const repositories = core
-    .getInput("repositories")
-    .split(/[\n,]+/)
-    .map((s) => s.trim())
-    .filter((x) => x !== "");
+const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
 
-  const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
-
-  const permissions = getPermissionsFromInputs(process.env);
-
-  return main(
-    appId,
-    privateKey,
-    owner,
-    repositories,
-    permissions,
-    core,
-    createAppAuth,
-    request,
-    skipTokenRevoke,
-  );
-}
+const permissions = getPermissionsFromInputs(process.env);
 
 // Export promise for testing
-export default run().catch((error) => {
+export default main(
+  appId,
+  privateKey,
+  owner,
+  repositories,
+  permissions,
+  core,
+  createAppAuth,
+  request,
+  skipTokenRevoke,
+).catch((error) => {
   /* c8 ignore next 3 */
   console.error(error);
   core.setFailed(error.message);

package.json

@@ -2,13 +2,10 @@
   "name": "create-github-app-token",
   "private": true,
   "type": "module",
-  "version": "3.0.0-beta.3",
+  "version": "2.1.4",
   "description": "GitHub Action for creating a GitHub App Installation Access Token",
-  "engines": {
-    "node": ">=24.4.0"
-  },
   "scripts": {
-    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --packages=bundle",
+    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0 --packages=bundle",
     "test": "c8 --100 ava tests/index.js",
     "coverage": "c8 report --reporter html",
     "postcoverage": "open-cli coverage/index.html"
@@ -16,9 +13,10 @@
   "license": "MIT",
   "dependencies": {
     "@actions/core": "^1.11.1",
-    "@octokit/auth-app": "^7.2.1",
-    "@octokit/request": "^9.2.2",
-    "p-retry": "^6.2.1"
+    "@octokit/auth-app": "^8.1.0",
+    "@octokit/request": "^10.0.3",
+    "p-retry": "^6.2.1",
+    "undici": "^7.16.0"
   },
   "devDependencies": {
     "@octokit/openapi": "^19.1.0",
@@ -29,7 +27,6 @@
     "esbuild": "^0.25.8",
     "execa": "^9.6.0",
     "open-cli": "^8.0.0",
-    "undici": "^7.13.0",
     "yaml": "^2.8.1"
   },
   "release": {
@@ -46,6 +43,7 @@
       "@semantic-release/release-notes-generator",
       "@semantic-release/github",
       "@semantic-release/npm",
+      "semantic-release-plugin-github-breaking-version-tag",
       [
         "@semantic-release/git",
         {

post.js

@@ -3,15 +3,9 @@
 import core from "@actions/core";
 
 import { post } from "./lib/post.js";
-import request, { ensureNativeProxySupport } from "./lib/request.js";
+import request from "./lib/request.js";
 
-async function run() {
-  ensureNativeProxySupport();
-
-  return post(core, request);
-}
-
-run().catch((error) => {
+post(core, request).catch((error) => {
   /* c8 ignore next 3 */
   console.error(error);
   core.setFailed(error.message);

tests/index.js

@@ -21,14 +21,6 @@ for (const file of testFiles) {
     const env = {
       GITHUB_OUTPUT: undefined,
       GITHUB_STATE: undefined,
-      HTTP_PROXY: undefined,
-      HTTPS_PROXY: undefined,
-      http_proxy: undefined,
-      https_proxy: undefined,
-      NO_PROXY: undefined,
-      no_proxy: undefined,
-      NODE_OPTIONS: undefined,
-      NODE_USE_ENV_PROXY: undefined,
     };
     const { stderr, stdout } = await execa("node", [`tests/${file}`], { env });
     t.snapshot(stderr, "stderr");

tests/main-proxy-requires-native-support.test.js

@@ -1,14 +0,0 @@
-process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
-process.env.GITHUB_REPOSITORY_OWNER = "actions";
-process.env.HTTPS_PROXY = "http://127.0.0.1:3128";
-
-const originalConsoleError = console.error;
-console.error = (...args) => {
-  originalConsoleError(
-    ...args.map((arg) => (arg instanceof Error ? arg.message : arg)),
-  );
-};
-
-await import("../main.js");
-await new Promise((resolve) => setImmediate(resolve));
-process.exitCode = 0;

tests/post-proxy-requires-native-support.test.js

@@ -1,13 +0,0 @@
-process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
-process.env.HTTPS_PROXY = "http://127.0.0.1:3128";
-
-const originalConsoleError = console.error;
-console.error = (...args) => {
-  originalConsoleError(
-    ...args.map((arg) => (arg instanceof Error ? arg.message : arg)),
-  );
-};
-
-await import("../post.js");
-await new Promise((resolve) => setImmediate(resolve));
-process.exitCode = 0;

tests/snapshots/index.js.md

@@ -82,16 +82,6 @@ Generated by [AVA](https://avajs.dev).
     POST /app/installations/123456/access_tokens␊
     {"repositories":["create-github-app-token"]}`
 
-## main-proxy-requires-native-support.test.js
-
-> stderr
-
-    'A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.'
-
-> stdout
-
-    '::error::A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.'
-
 ## main-repo-skew.test.js
 
 > stderr
@@ -343,16 +333,6 @@ Generated by [AVA](https://avajs.dev).
     POST /app/installations/123456/access_tokens␊
     {"repositories":["create-github-app-token"],"permissions":{"issues":"write","pull_requests":"read"}}`
 
-## post-proxy-requires-native-support.test.js
-
-> stderr
-
-    'A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.'
-
-> stdout
-
-    '::error::A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.'
-
 ## post-revoke-token-fail-response.test.js
 
 > stderr