fix(revocation): avoid revoking expired tokens and fail gracefully (#95)

Fixes #72

If an Actions job is long enough, more than an hour can pass between
creating and revoking the App token in the post-job clean up step. Since
the token itself is used to authenticate with the revoke API, an expired
token will fail to be revoked.

This PR saves the token expiration in the actions state and uses that in
the post step to determine if the token can be revoked. I've also added
error handling to the revoke token API call, as it's unlikely that users
would want their job to fail if the token can't be revoked.
This commit is contained in:
Josh Gross
2024-01-19 10:45:12 -05:00
committed by GitHub
parent f04aa94d10
commit 0c014070f9
10 changed files with 155 additions and 21 deletions

View File

@@ -103,6 +103,7 @@ export async function main(
// Make token accessible to post function (so we can invalidate it)
if (!skipTokenRevoke) {
core.saveState("token", authentication.token);
core.setOutput("expiresAt", authentication.expiresAt);
}
}

View File

@@ -21,11 +21,31 @@ export async function post(core, request) {
return;
}
await request("DELETE /installation/token", {
headers: {
authorization: `token ${token}`,
},
});
const expiresAt = core.getState("expiresAt");
if (expiresAt && tokenExpiresIn(expiresAt) < 0) {
core.info("Token expired, skipping token revocation");
return;
}
core.info("Token revoked");
try {
await request("DELETE /installation/token", {
headers: {
authorization: `token ${token}`,
},
});
core.info("Token revoked");
} catch (error) {
core.warning(
`Token revocation failed: ${error.message}`)
}
}
/**
* @param {string} expiresAt
*/
function tokenExpiresIn(expiresAt) {
const now = new Date();
const expiresAtDate = new Date(expiresAt);
return Math.round((expiresAtDate.getTime() - now.getTime()) / 1000);
}