feat: add proxy support via child process spawning

When proxy environment variables (https_proxy, HTTPS_PROXY, http_proxy,
HTTP_PROXY) are detected and NODE_USE_ENV_PROXY is not already set to
"1", the action spawns a child process with NODE_USE_ENV_PROXY=1 to
enable Node.js native proxy support.

- Add lib/run-with-proxy.js shared utility for both main.js and post.js
- Update main.js and post.js to use runWithProxy() wrapper
- Add tests for proxy spawning, child error handling, and already-enabled path
- 100% code coverage maintained

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

dist/main.cjs

@@ -43492,11 +43492,11 @@ function createOAuthAppAuth(options) {
 }
 
 // node_modules/universal-github-app-jwt/lib/utils.js
-function isPkcs1(privateKey2) {
-  return privateKey2.includes("-----BEGIN RSA PRIVATE KEY-----");
+function isPkcs1(privateKey) {
+  return privateKey.includes("-----BEGIN RSA PRIVATE KEY-----");
 }
-function isOpenSsh(privateKey2) {
-  return privateKey2.includes("-----BEGIN OPENSSH PRIVATE KEY-----");
+function isOpenSsh(privateKey) {
+  return privateKey.includes("-----BEGIN OPENSSH PRIVATE KEY-----");
 }
 function string2ArrayBuffer(str) {
   const buf = new ArrayBuffer(str.length);
@@ -43537,17 +43537,17 @@ __export(crypto_node_exports, {
 });
 __reExport(crypto_node_exports, require("node:crypto"));
 var import_node_crypto = require("node:crypto");
-function convertPrivateKey(privateKey2) {
-  if (!isPkcs1(privateKey2)) return privateKey2;
-  return (0, import_node_crypto.createPrivateKey)(privateKey2).export({
+function convertPrivateKey(privateKey) {
+  if (!isPkcs1(privateKey)) return privateKey;
+  return (0, import_node_crypto.createPrivateKey)(privateKey).export({
     type: "pkcs8",
     format: "pem"
   });
 }
 
 // node_modules/universal-github-app-jwt/lib/get-token.js
-async function getToken({ privateKey: privateKey2, payload }) {
-  const convertedPrivateKey = convertPrivateKey(privateKey2);
+async function getToken({ privateKey, payload }) {
+  const convertedPrivateKey = convertPrivateKey(privateKey);
   if (isPkcs1(convertedPrivateKey)) {
     throw new Error(
       "[universal-github-app-jwt] Private Key is in PKCS#1 format, but only PKCS#8 is supported. See https://github.com/gr2m/universal-github-app-jwt#private-key-formats"
@@ -43585,10 +43585,10 @@ async function getToken({ privateKey: privateKey2, payload }) {
 // node_modules/universal-github-app-jwt/index.js
 async function githubAppJwt({
   id,
-  privateKey: privateKey2,
+  privateKey,
   now = Math.floor(Date.now() / 1e3)
 }) {
-  const privateKeyWithNewlines = privateKey2.replace(/\\n/g, "\n");
+  const privateKeyWithNewlines = privateKey.replace(/\\n/g, "\n");
   const nowWithSafetyMargin = now - 30;
   const expiration = nowWithSafetyMargin + 60 * 10;
   const payload = {
@@ -43746,24 +43746,24 @@ var LruObject = class {
 
 // node_modules/@octokit/auth-app/dist-node/index.js
 async function getAppAuthentication({
-  appId: appId2,
-  privateKey: privateKey2,
+  appId,
+  privateKey,
   timeDifference,
   createJwt
 }) {
   try {
     if (createJwt) {
-      const { jwt, expiresAt } = await createJwt(appId2, timeDifference);
+      const { jwt, expiresAt } = await createJwt(appId, timeDifference);
       return {
         type: "app",
         token: jwt,
-        appId: appId2,
+        appId,
         expiresAt
       };
     }
     const authOptions = {
-      id: appId2,
-      privateKey: privateKey2
+      id: appId,
+      privateKey
     };
     if (timeDifference) {
       Object.assign(authOptions, {
@@ -43778,7 +43778,7 @@ async function getAppAuthentication({
       expiresAt: new Date(appAuthentication.expiration * 1e3).toISOString()
     };
   } catch (error) {
-    if (privateKey2 === "-----BEGIN RSA PRIVATE KEY-----") {
+    if (privateKey === "-----BEGIN RSA PRIVATE KEY-----") {
       throw new Error(
         "The 'privateKey` option contains only the first line '-----BEGIN RSA PRIVATE KEY-----'. If you are setting it using a `.env` file, make sure it is set on a single line with newlines replaced by '\n'"
       );
@@ -43809,19 +43809,19 @@ async function get(cache, options) {
     permissionsString,
     singleFileName
   ] = result.split("|");
-  const permissions2 = options.permissions || permissionsString.split(/,/).reduce((permissions22, string) => {
+  const permissions = options.permissions || permissionsString.split(/,/).reduce((permissions2, string) => {
     if (/!$/.test(string)) {
-      permissions22[string.slice(0, -1)] = "write";
+      permissions2[string.slice(0, -1)] = "write";
     } else {
-      permissions22[string] = "read";
+      permissions2[string] = "read";
     }
-    return permissions22;
+    return permissions2;
   }, {});
   return {
     token,
     createdAt,
     expiresAt,
-    permissions: permissions2,
+    permissions,
     repositoryIds: options.repositoryIds,
     repositoryNames: options.repositoryNames,
     singleFileName,
@@ -43845,11 +43845,11 @@ async function set(cache, options, data) {
 }
 function optionsToCacheKey({
   installationId,
-  permissions: permissions2 = {},
+  permissions = {},
   repositoryIds = [],
   repositoryNames = []
 }) {
-  const permissionsString = Object.keys(permissions2).sort().map((name) => permissions2[name] === "read" ? name : `${name}!`).join(",");
+  const permissionsString = Object.keys(permissions).sort().map((name) => permissions[name] === "read" ? name : `${name}!`).join(",");
   const repositoryIdsString = repositoryIds.sort().join(",");
   const repositoryNamesString = repositoryNames.join(",");
   return [
@@ -43865,7 +43865,7 @@ function toTokenAuthentication({
   createdAt,
   expiresAt,
   repositorySelection,
-  permissions: permissions2,
+  permissions,
   repositoryIds,
   repositoryNames,
   singleFileName
@@ -43876,7 +43876,7 @@ function toTokenAuthentication({
       tokenType: "installation",
       token,
       installationId,
-      permissions: permissions2,
+      permissions,
       createdAt,
       expiresAt,
       repositorySelection
@@ -43929,7 +43929,7 @@ async function getInstallationAuthenticationImpl(state, options, request2) {
         token: token2,
         createdAt: createdAt2,
         expiresAt: expiresAt2,
-        permissions: permissions22,
+        permissions: permissions2,
         repositoryIds: repositoryIds2,
         repositoryNames: repositoryNames2,
         singleFileName: singleFileName2,
@@ -43940,7 +43940,7 @@ async function getInstallationAuthenticationImpl(state, options, request2) {
         token: token2,
         createdAt: createdAt2,
         expiresAt: expiresAt2,
-        permissions: permissions22,
+        permissions: permissions2,
         repositorySelection: repositorySelection2,
         repositoryIds: repositoryIds2,
         repositoryNames: repositoryNames2,
@@ -43973,7 +43973,7 @@ async function getInstallationAuthenticationImpl(state, options, request2) {
     data: {
       token,
       expires_at: expiresAt,
-      repositories: repositories2,
+      repositories,
       permissions: permissionsOptional,
       repository_selection: repositorySelectionOptional,
       single_file: singleFileName
@@ -43982,17 +43982,17 @@ async function getInstallationAuthenticationImpl(state, options, request2) {
     "POST /app/installations/{installation_id}/access_tokens",
     payload
   );
-  const permissions2 = permissionsOptional || {};
+  const permissions = permissionsOptional || {};
   const repositorySelection = repositorySelectionOptional || "all";
-  const repositoryIds = repositories2 ? repositories2.map((r) => r.id) : void 0;
-  const repositoryNames = repositories2 ? repositories2.map((repo) => repo.name) : void 0;
+  const repositoryIds = repositories ? repositories.map((r) => r.id) : void 0;
+  const repositoryNames = repositories ? repositories.map((repo) => repo.name) : void 0;
   const createdAt = (/* @__PURE__ */ new Date()).toISOString();
   const cacheOptions = {
     token,
     createdAt,
     expiresAt,
     repositorySelection,
-    permissions: permissions2,
+    permissions,
     repositoryIds,
     repositoryNames
   };
@@ -44006,7 +44006,7 @@ async function getInstallationAuthenticationImpl(state, options, request2) {
     createdAt,
     expiresAt,
     repositorySelection,
-    permissions: permissions2,
+    permissions,
     repositoryIds,
     repositoryNames
   };
@@ -44202,16 +44202,16 @@ function createAppAuth(options) {
 
 // lib/get-permissions-from-inputs.js
 function getPermissionsFromInputs(env) {
-  return Object.entries(env).reduce((permissions2, [key, value]) => {
-    if (!key.startsWith("INPUT_PERMISSION-")) return permissions2;
-    if (!value) return permissions2;
+  return Object.entries(env).reduce((permissions, [key, value]) => {
+    if (!key.startsWith("INPUT_PERMISSION-")) return permissions;
+    if (!value) return permissions;
     const permission = key.slice("INPUT_PERMISSION-".length).toLowerCase().replaceAll(/-/g, "_");
-    if (permissions2 === void 0) {
+    if (permissions === void 0) {
       return { [permission]: value };
     }
     return {
       // @ts-expect-error - needs to be typed correctly
-      ...permissions2,
+      ...permissions,
       [permission]: value
     };
   }, void 0);
@@ -44411,43 +44411,43 @@ async function pRetry(input, options = {}) {
 }
 
 // lib/main.js
-async function main(appId2, privateKey2, owner2, repositories2, permissions2, core3, createAppAuth2, request2, skipTokenRevoke2) {
+async function main(appId, privateKey, owner, repositories, permissions, core3, createAppAuth2, request2, skipTokenRevoke) {
   let parsedOwner = "";
   let parsedRepositoryNames = [];
-  if (!owner2 && repositories2.length === 0) {
-    const [owner3, repo] = String(process.env.GITHUB_REPOSITORY).split("/");
-    parsedOwner = owner3;
+  if (!owner && repositories.length === 0) {
+    const [owner2, repo] = String(process.env.GITHUB_REPOSITORY).split("/");
+    parsedOwner = owner2;
     parsedRepositoryNames = [repo];
     core3.info(
-      `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (${owner3}/${repo}).`
+      `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (${owner2}/${repo}).`
     );
   }
-  if (owner2 && repositories2.length === 0) {
-    parsedOwner = owner2;
+  if (owner && repositories.length === 0) {
+    parsedOwner = owner;
     core3.info(
-      `Input 'repositories' is not set. Creating token for all repositories owned by ${owner2}.`
+      `Input 'repositories' is not set. Creating token for all repositories owned by ${owner}.`
     );
   }
-  if (!owner2 && repositories2.length > 0) {
+  if (!owner && repositories.length > 0) {
     parsedOwner = String(process.env.GITHUB_REPOSITORY_OWNER);
-    parsedRepositoryNames = repositories2;
+    parsedRepositoryNames = repositories;
     core3.info(
-      `No 'owner' input provided. Using default owner '${parsedOwner}' to create token for the following repositories:${repositories2.map((repo) => `
+      `No 'owner' input provided. Using default owner '${parsedOwner}' to create token for the following repositories:${repositories.map((repo) => `
 - ${parsedOwner}/${repo}`).join("")}`
     );
   }
-  if (owner2 && repositories2.length > 0) {
-    parsedOwner = owner2;
-    parsedRepositoryNames = repositories2;
+  if (owner && repositories.length > 0) {
+    parsedOwner = owner;
+    parsedRepositoryNames = repositories;
     core3.info(
       `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
-      ${repositories2.map((repo) => `
+      ${repositories.map((repo) => `
 - ${parsedOwner}/${repo}`).join("")}`
     );
   }
   const auth5 = createAppAuth2({
-    appId: appId2,
-    privateKey: privateKey2,
+    appId,
+    privateKey,
     request: request2
   });
   let authentication, installationId, appSlug;
@@ -44458,7 +44458,7 @@ async function main(appId2, privateKey2, owner2, repositories2, permissions2, co
         auth5,
         parsedOwner,
         parsedRepositoryNames,
-        permissions2
+        permissions
       ),
       {
         shouldRetry: ({ error }) => error.status >= 500,
@@ -44474,7 +44474,7 @@ async function main(appId2, privateKey2, owner2, repositories2, permissions2, co
     ));
   } else {
     ({ authentication, installationId, appSlug } = await pRetry(
-      () => getTokenFromOwner(request2, auth5, parsedOwner, permissions2),
+      () => getTokenFromOwner(request2, auth5, parsedOwner, permissions),
       {
         onFailedAttempt: (context) => {
           core3.info(
@@ -44489,12 +44489,12 @@ async function main(appId2, privateKey2, owner2, repositories2, permissions2, co
   core3.setOutput("token", authentication.token);
   core3.setOutput("installation-id", installationId);
   core3.setOutput("app-slug", appSlug);
-  if (!skipTokenRevoke2) {
+  if (!skipTokenRevoke) {
     core3.saveState("token", authentication.token);
     core3.saveState("expiresAt", authentication.expiresAt);
   }
 }
-async function getTokenFromOwner(request2, auth5, parsedOwner, permissions2) {
+async function getTokenFromOwner(request2, auth5, parsedOwner, permissions) {
   const response = await request2("GET /users/{username}/installation", {
     username: parsedOwner,
     request: {
@@ -44504,13 +44504,13 @@ async function getTokenFromOwner(request2, auth5, parsedOwner, permissions2) {
   const authentication = await auth5({
     type: "installation",
     installationId: response.data.id,
-    permissions: permissions2
+    permissions
   });
   const installationId = response.data.id;
   const appSlug = response.data["app_slug"];
   return { authentication, installationId, appSlug };
 }
-async function getTokenFromRepository(request2, auth5, parsedOwner, parsedRepositoryNames, permissions2) {
+async function getTokenFromRepository(request2, auth5, parsedOwner, parsedRepositoryNames, permissions) {
   const response = await request2("GET /repos/{owner}/{repo}/installation", {
     owner: parsedOwner,
     repo: parsedRepositoryNames[0],
@@ -44522,7 +44522,7 @@ async function getTokenFromRepository(request2, auth5, parsedOwner, parsedReposi
     type: "installation",
     installationId: response.data.id,
     repositoryNames: parsedRepositoryNames,
-    permissions: permissions2
+    permissions
   });
   const installationId = response.data.id;
   const appSlug = response.data["app_slug"];
@@ -44556,6 +44556,36 @@ var request_default = request.defaults({
   request: proxyUrl ? { fetch: proxyFetch } : {}
 });
 
+// lib/run-with-proxy.js
+var import_node_child_process = require("node:child_process");
+async function runWithProxy(run) {
+  const httpProxyEnvVars = [
+    "https_proxy",
+    "HTTPS_PROXY",
+    "http_proxy",
+    "HTTP_PROXY"
+  ];
+  const nodeHasProxySupportEnabled = process.env.NODE_USE_ENV_PROXY === "1";
+  const shouldUseProxy = httpProxyEnvVars.some((v) => process.env[v]);
+  if (!nodeHasProxySupportEnabled && shouldUseProxy) {
+    return new Promise((resolve, reject) => {
+      const child = (0, import_node_child_process.spawn)(process.execPath, process.argv.slice(1), {
+        env: { ...process.env, NODE_USE_ENV_PROXY: "1" },
+        stdio: "inherit"
+      });
+      child.on("exit", (code) => {
+        process.exitCode = code;
+        if (code !== 0) {
+          reject(new Error(`Child process exited with code ${code}`));
+        } else {
+          resolve();
+        }
+      });
+    });
+  }
+  return run();
+}
+
 // main.js
 if (!process.env.GITHUB_REPOSITORY) {
   throw new Error("GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'");
@@ -44563,25 +44593,27 @@ if (!process.env.GITHUB_REPOSITORY) {
 if (!process.env.GITHUB_REPOSITORY_OWNER) {
   throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
 }
-var appId = import_core2.default.getInput("app-id");
-var privateKey = import_core2.default.getInput("private-key");
-var owner = import_core2.default.getInput("owner");
-var repositories = import_core2.default.getInput("repositories").split(/[\n,]+/).map((s) => s.trim()).filter((x) => x !== "");
-var skipTokenRevoke = import_core2.default.getBooleanInput("skip-token-revoke");
-var permissions = getPermissionsFromInputs(process.env);
-var main_default = main(
-  appId,
-  privateKey,
-  owner,
-  repositories,
-  permissions,
-  import_core2.default,
-  createAppAuth,
-  request_default,
-  skipTokenRevoke
-).catch((error) => {
-  console.error(error);
-  import_core2.default.setFailed(error.message);
+var main_default = runWithProxy(async () => {
+  const appId = import_core2.default.getInput("app-id");
+  const privateKey = import_core2.default.getInput("private-key");
+  const owner = import_core2.default.getInput("owner");
+  const repositories = import_core2.default.getInput("repositories").split(/[\n,]+/).map((s) => s.trim()).filter((x) => x !== "");
+  const skipTokenRevoke = import_core2.default.getBooleanInput("skip-token-revoke");
+  const permissions = getPermissionsFromInputs(process.env);
+  return main(
+    appId,
+    privateKey,
+    owner,
+    repositories,
+    permissions,
+    import_core2.default,
+    createAppAuth,
+    request_default,
+    skipTokenRevoke
+  ).catch((error) => {
+    console.error(error);
+    import_core2.default.setFailed(error.message);
+  });
 });
 /*! Bundled license information:
 

dist/post.cjs

@@ -7,6 +7,10 @@ var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __commonJS = (cb, mod) => function __require() {
   return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
 };
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 var __copyProps = (to, from, except, desc) => {
   if (from && typeof from === "object" || typeof from === "function") {
     for (let key of __getOwnPropNames(from))
@@ -23,6 +27,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
   mod
 ));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // node_modules/@actions/core/lib/utils.js
 var require_utils = __commonJS({
@@ -42325,6 +42330,11 @@ var require_undici2 = __commonJS({
 });
 
 // post.js
+var post_exports = {};
+__export(post_exports, {
+  default: () => post_default
+});
+module.exports = __toCommonJS(post_exports);
 var import_core2 = __toESM(require_core(), 1);
 
 // lib/post.js
@@ -42934,10 +42944,42 @@ var request_default = request.defaults({
   request: proxyUrl ? { fetch: proxyFetch } : {}
 });
 
+// lib/run-with-proxy.js
+var import_node_child_process = require("node:child_process");
+async function runWithProxy(run) {
+  const httpProxyEnvVars = [
+    "https_proxy",
+    "HTTPS_PROXY",
+    "http_proxy",
+    "HTTP_PROXY"
+  ];
+  const nodeHasProxySupportEnabled = process.env.NODE_USE_ENV_PROXY === "1";
+  const shouldUseProxy = httpProxyEnvVars.some((v) => process.env[v]);
+  if (!nodeHasProxySupportEnabled && shouldUseProxy) {
+    return new Promise((resolve, reject) => {
+      const child = (0, import_node_child_process.spawn)(process.execPath, process.argv.slice(1), {
+        env: { ...process.env, NODE_USE_ENV_PROXY: "1" },
+        stdio: "inherit"
+      });
+      child.on("exit", (code) => {
+        process.exitCode = code;
+        if (code !== 0) {
+          reject(new Error(`Child process exited with code ${code}`));
+        } else {
+          resolve();
+        }
+      });
+    });
+  }
+  return run();
+}
+
 // post.js
-post(import_core2.default, request_default).catch((error) => {
-  console.error(error);
-  import_core2.default.setFailed(error.message);
+var post_default = runWithProxy(async () => {
+  return post(import_core2.default, request_default).catch((error) => {
+    console.error(error);
+    import_core2.default.setFailed(error.message);
+  });
 });
 /*! Bundled license information:
 

lib/run-with-proxy.js

@@ -0,0 +1,44 @@
+// @ts-check
+
+import { spawn } from "node:child_process";
+
+/**
+ * Wraps a function to automatically enable Node.js proxy support when proxy
+ * environment variables are detected. If proxy env vars are set but
+ * `NODE_USE_ENV_PROXY` is not `"1"`, spawns a child process with
+ * `NODE_USE_ENV_PROXY=1` to enable native proxy support.
+ *
+ * @param {() => Promise<void>} run
+ * @returns {Promise<void>}
+ *
+ * @see https://github.com/nodejs/node/blob/4612c793cb9007a91cb3fd82afe518440473826e/lib/internal/process/pre_execution.js#L168-L187
+ */
+export async function runWithProxy(run) {
+  const httpProxyEnvVars = [
+    "https_proxy",
+    "HTTPS_PROXY",
+    "http_proxy",
+    "HTTP_PROXY",
+  ];
+  const nodeHasProxySupportEnabled = process.env.NODE_USE_ENV_PROXY === "1";
+  const shouldUseProxy = httpProxyEnvVars.some((v) => process.env[v]);
+
+  if (!nodeHasProxySupportEnabled && shouldUseProxy) {
+    return new Promise((resolve, reject) => {
+      const child = spawn(process.execPath, process.argv.slice(1), {
+        env: { ...process.env, NODE_USE_ENV_PROXY: "1" },
+        stdio: "inherit",
+      });
+      child.on("exit", (code) => {
+        process.exitCode = code;
+        if (code !== 0) {
+          reject(new Error(`Child process exited with code ${code}`));
+        } else {
+          resolve();
+        }
+      });
+    });
+  }
+
+  return run();
+}

main.js

@@ -6,6 +6,7 @@ import { createAppAuth } from "@octokit/auth-app";
 import { getPermissionsFromInputs } from "./lib/get-permissions-from-inputs.js";
 import { main } from "./lib/main.js";
 import request from "./lib/request.js";
+import { runWithProxy } from "./lib/run-with-proxy.js";
 
 if (!process.env.GITHUB_REPOSITORY) {
   throw new Error("GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'");
@@ -15,32 +16,34 @@ if (!process.env.GITHUB_REPOSITORY_OWNER) {
   throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
 }
 
-const appId = core.getInput("app-id");
-const privateKey = core.getInput("private-key");
-const owner = core.getInput("owner");
-const repositories = core
-  .getInput("repositories")
-  .split(/[\n,]+/)
-  .map((s) => s.trim())
-  .filter((x) => x !== "");
-
-const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
-
-const permissions = getPermissionsFromInputs(process.env);
-
 // Export promise for testing
-export default main(
-  appId,
-  privateKey,
-  owner,
-  repositories,
-  permissions,
-  core,
-  createAppAuth,
-  request,
-  skipTokenRevoke,
-).catch((error) => {
-  /* c8 ignore next 3 */
-  console.error(error);
-  core.setFailed(error.message);
+export default runWithProxy(async () => {
+  const appId = core.getInput("app-id");
+  const privateKey = core.getInput("private-key");
+  const owner = core.getInput("owner");
+  const repositories = core
+    .getInput("repositories")
+    .split(/[\n,]+/)
+    .map((s) => s.trim())
+    .filter((x) => x !== "");
+
+  const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
+
+  const permissions = getPermissionsFromInputs(process.env);
+
+  return main(
+    appId,
+    privateKey,
+    owner,
+    repositories,
+    permissions,
+    core,
+    createAppAuth,
+    request,
+    skipTokenRevoke,
+  ).catch((error) => {
+    /* c8 ignore next 3 */
+    console.error(error);
+    core.setFailed(error.message);
+  });
 });

post.js

@@ -4,9 +4,13 @@ import core from "@actions/core";
 
 import { post } from "./lib/post.js";
 import request from "./lib/request.js";
+import { runWithProxy } from "./lib/run-with-proxy.js";
 
-post(core, request).catch((error) => {
-  /* c8 ignore next 3 */
-  console.error(error);
-  core.setFailed(error.message);
+// Export promise for testing
+export default runWithProxy(async () => {
+  return post(core, request).catch((error) => {
+    /* c8 ignore next 3 */
+    console.error(error);
+    core.setFailed(error.message);
+  });
 });

tests/index.js

@@ -22,7 +22,15 @@ for (const file of testFiles) {
       GITHUB_OUTPUT: undefined,
       GITHUB_STATE: undefined,
     };
-    const { stderr, stdout } = await execa("node", [`tests/${file}`], { env });
+    const { stderr, stdout } = await execa(
+      "node",
+      [
+        "--experimental-test-module-mocks",
+        "--disable-warning=ExperimentalWarning",
+        `tests/${file}`,
+      ],
+      { env },
+    );
     t.snapshot(stderr, "stderr");
     t.snapshot(stdout, "stdout");
   });

tests/main-proxy-already-enabled.test.js

@@ -0,0 +1,20 @@
+// Verify that `runWithProxy()` calls the callback directly (no child process)
+// when `NODE_USE_ENV_PROXY` is already set to `"1"`, even with proxy env vars set.
+import assert from "node:assert";
+import { runWithProxy } from "../lib/run-with-proxy.js";
+
+process.env.https_proxy = "http://proxy.example.com";
+process.env.NODE_USE_ENV_PROXY = "1";
+
+let callbackCalled = false;
+
+await runWithProxy(async () => {
+  callbackCalled = true;
+});
+
+assert(callbackCalled, "callback was called directly without spawning");
+
+delete process.env.NODE_USE_ENV_PROXY;
+delete process.env.https_proxy;
+
+

tests/main-proxy-child-error.test.js

@@ -0,0 +1,30 @@
+// Verify that `main.js` rejects when the child process exits with a non-zero code.
+import assert from "node:assert";
+import { mock } from "node:test";
+
+mock.module("node:child_process", {
+  namedExports: {
+    spawn() {
+      return {
+        on(event, callback) {
+          if (event === "exit") callback(1);
+        },
+      };
+    },
+  },
+});
+
+process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+process.env.GITHUB_REPOSITORY_OWNER = "actions";
+process.env.https_proxy = "http://proxy.example.com";
+delete process.env.NODE_USE_ENV_PROXY;
+
+const { default: runPromise } = await import("../main.js");
+
+await assert.rejects(runPromise, {
+  message: "Child process exited with code 1",
+});
+assert.equal(process.exitCode, 1, "process exit code is 1");
+
+// Reset for other tests
+process.exitCode = 0;

tests/main-proxy-spawns-child.test.js

@@ -0,0 +1,36 @@
+// Verify that `main.js` spawns a child process when a proxy env var is set
+// and `NODE_USE_ENV_PROXY` is not set.
+import assert from "node:assert";
+import { mock } from "node:test";
+
+let spawnArgs;
+
+mock.module("node:child_process", {
+  namedExports: {
+    spawn(command, args, options) {
+      spawnArgs = { command, args, options };
+      return {
+        on(event, callback) {
+          if (event === "exit") callback(0);
+        },
+      };
+    },
+  },
+});
+
+process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+process.env.GITHUB_REPOSITORY_OWNER = "actions";
+process.env.https_proxy = "http://proxy.example.com";
+delete process.env.NODE_USE_ENV_PROXY;
+
+const { default: runPromise } = await import("../main.js");
+await runPromise;
+
+assert(spawnArgs, "spawn was called");
+assert.equal(
+  spawnArgs.options.env.NODE_USE_ENV_PROXY,
+  "1",
+  "NODE_USE_ENV_PROXY is set to '1' in child env",
+);
+assert.equal(spawnArgs.options.stdio, "inherit", "stdio is inherited");
+assert.equal(process.exitCode, 0, "process exit code is 0");

tests/post-proxy-already-enabled.test.js

@@ -0,0 +1,21 @@
+// Verify that `runWithProxy()` calls the callback directly (no child process)
+// when `NODE_USE_ENV_PROXY` is already set to `"1"`, even with proxy env vars set.
+// This ensures post.js would also follow the callback path.
+import assert from "node:assert";
+import { runWithProxy } from "../lib/run-with-proxy.js";
+
+process.env.HTTP_PROXY = "http://proxy.example.com";
+process.env.NODE_USE_ENV_PROXY = "1";
+
+let callbackCalled = false;
+
+await runWithProxy(async () => {
+  callbackCalled = true;
+});
+
+assert(callbackCalled, "callback was called directly without spawning");
+
+delete process.env.NODE_USE_ENV_PROXY;
+delete process.env.HTTP_PROXY;
+
+

tests/post-proxy-spawns-child.test.js

@@ -0,0 +1,34 @@
+// Verify that `post.js` spawns a child process when a proxy env var is set
+// and `NODE_USE_ENV_PROXY` is not set.
+import assert from "node:assert";
+import { mock } from "node:test";
+
+let spawnArgs;
+
+mock.module("node:child_process", {
+  namedExports: {
+    spawn(command, args, options) {
+      spawnArgs = { command, args, options };
+      return {
+        on(event, callback) {
+          if (event === "exit") callback(0);
+        },
+      };
+    },
+  },
+});
+
+process.env.https_proxy = "http://proxy.example.com";
+delete process.env.NODE_USE_ENV_PROXY;
+
+const { default: runPromise } = await import("../post.js");
+await runPromise;
+
+assert(spawnArgs, "spawn was called");
+assert.equal(
+  spawnArgs.options.env.NODE_USE_ENV_PROXY,
+  "1",
+  "NODE_USE_ENV_PROXY is set to '1' in child env",
+);
+assert.equal(spawnArgs.options.stdio, "inherit", "stdio is inherited");
+assert.equal(process.exitCode, 0, "process exit code is 0");

tests/snapshots/index.js.md

@@ -82,6 +82,36 @@ Generated by [AVA](https://avajs.dev).
     POST /app/installations/123456/access_tokens␊
     {"repositories":["create-github-app-token"]}`
 
+## main-proxy-already-enabled.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    ''
+
+## main-proxy-child-error.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    ''
+
+## main-proxy-spawns-child.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    ''
+
 ## main-repo-skew.test.js
 
 > stderr
@@ -333,6 +363,26 @@ Generated by [AVA](https://avajs.dev).
     POST /app/installations/123456/access_tokens␊
     {"repositories":["create-github-app-token"],"permissions":{"issues":"write","pull_requests":"read"}}`
 
+## post-proxy-already-enabled.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    ''
+
+## post-proxy-spawns-child.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    ''
+
 ## post-revoke-token-fail-response.test.js
 
 > stderr