Parker Brown
bc256c234b
The runner will automatically mask GitHub token formats it recognizes, but sometimes a new pattern rolls out before the runner is updated to recognize it.
63 lines
1.5 KiB
JavaScript
63 lines
1.5 KiB
JavaScript
// @ts-check
|
|
|
|
import core from "@actions/core";
|
|
import { createAppAuth } from "@octokit/auth-app";
|
|
import { request } from "@octokit/request";
|
|
|
|
/**
|
|
* @param {string} appId
|
|
* @param {string} privateKey
|
|
* @param {string} repository
|
|
* @param {core} core
|
|
* @param {createAppAuth} createAppAuth
|
|
* @param {request} request
|
|
*/
|
|
export async function main(
|
|
appId,
|
|
privateKey,
|
|
repository,
|
|
core,
|
|
createAppAuth,
|
|
request
|
|
) {
|
|
// Get owner and repo name from GITHUB_REPOSITORY
|
|
const [owner, repo] = repository.split("/");
|
|
|
|
const auth = createAppAuth({
|
|
appId,
|
|
privateKey,
|
|
});
|
|
|
|
const appAuthentication = await auth({
|
|
type: "app",
|
|
});
|
|
|
|
// Get the installation ID
|
|
// https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
|
|
const { data: installation } = await request(
|
|
"GET /repos/{owner}/{repo}/installation",
|
|
{
|
|
owner,
|
|
repo,
|
|
headers: {
|
|
authorization: `bearer ${appAuthentication.token}`,
|
|
},
|
|
}
|
|
);
|
|
|
|
// Create a new installation token
|
|
const authentication = await auth({
|
|
type: "installation",
|
|
installationId: installation.id,
|
|
repositoryNames: [repo],
|
|
});
|
|
|
|
// Register the token with the runner as a secret to ensure it is masked in logs
|
|
core.setSecret(authentication.token);
|
|
|
|
core.setOutput("token", authentication.token);
|
|
|
|
// Make token accessible to post function (so we can invalidate it)
|
|
core.saveState("token", authentication.token);
|
|
}
|