feat: Add a skip_token_revoke input for configuring token revocation (#54)
Fixes https://github.com/actions/create-github-app-token/issues/55 Currently, `actions/create-github-app-token` always/unconditionally revokes the installation access token in a `post` step, at the completion of the current job. This prevents tokens from being used in other jobs. This PR makes this behavior configurable: - When the `skip-token-revoke` input is not specified (i.e. by default), the token is revoked in a `post` step (i.e. the current behavior). - When the `skip-token-revoke` input is set to a truthy value (e.g. `"true"`[^1]), the token is not revoked in a `post` step. This PR adds a test for the `skip-token-revoke: "true"` case. This is configurable in other app token actions, e.g. [tibdex/github-app-token](3eb77c7243/README.md (L46-L47)) and [wow-actions/use-app-token](cd772994fc/README.md (L132)). [^1]: Note that `"false"` is also truthy: `Boolean("false")` is `true`. If we think that’ll potentially confuse folks, I can require `skip-token-revoke` to be set explicitly to `"true"`.
This commit is contained in:
@@ -145,6 +145,10 @@ jobs:
|
||||
> [!NOTE]
|
||||
> If `owner` is set and `repositories` is empty, access will be scoped to all repositories in the provided repository owner's installation. If `owner` and `repositories` are empty, access will be scoped to only the current repository.
|
||||
|
||||
### `skip_token_revoke`
|
||||
|
||||
**Optional:** If truthy, the token will not be revoked when the current job is complete.
|
||||
|
||||
## Outputs
|
||||
|
||||
### `token`
|
||||
@@ -158,7 +162,7 @@ The action creates an installation access token using [the `POST /app/installati
|
||||
1. The token is scoped to the current repository or `repositories` if set.
|
||||
2. The token inherits all the installation's permissions.
|
||||
3. The token is set as output `token` which can be used in subsequent steps.
|
||||
4. The token is revoked in the `post` step of the action, which means it cannot be passed to another job.
|
||||
4. Unless the `skip_token_revoke` input is set to a truthy value, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
|
||||
5. The token is masked, it cannot be logged accidentally.
|
||||
|
||||
> [!NOTE]
|
||||
|
||||
Reference in New Issue
Block a user