feat: add client-id input and deprecate app-id (#353)

GitHub now recommends using a GitHub App's Client ID for authentication.
This PR adds a first-class `client-id` input, keeps `app-id` available
for compatibility, and makes the migration path explicit in both runtime
behavior and documentation.

### Action inputs

- Adds a new `client-id` input
- Removes `required` from `app-id`
- Marks `app-id` as deprecated in `action.yml`

### Runtime behavior

- Updates input parsing to prefer `client-id`
- Falls back to `app-id` for existing workflows
- Adds a clear error when neither `client-id` nor `app-id` is provided

### Docs

- Updates the README to recommend `client-id`
- Switches usage examples to `client-id`
- Documents that `app-id` is deprecated and that `client-id` takes
precedence if both are set

### Regression coverage

- Adds a focused test proving a client-ID-shaped value works through the
new `client-id` input
- Adds coverage for the missing-ID validation path
- Updates snapshots to lock in the new metadata and runtime behavior

### Resulting usage

Users can migrate to the new input name directly:

```yaml
- uses: actions/create-github-app-token@v3
  with:
    client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
    private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}
```

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: parkerbxyz <17183625+parkerbxyz@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

tests/README.md

@@ -32,5 +32,5 @@ node --test --test-update-snapshots tests/index.js
 
 We have tests both for the `main.js` and `post.js` scripts.
 
-- If you do not expect an error, take [main-token-permissions-set.test.js](tests/main-token-permissions-set.test.js) as a starting point.
-- If your test has an expected error, take [main-missing-app-id.test.js](tests/main-missing-app-id.test.js) as a starting point.
+- If you do not expect an error, take [main-token-permissions-set.test.js](main-token-permissions-set.test.js) as a starting point.
+- If your test has an expected error, take [main-missing-client-and-app-id.test.js](main-missing-client-and-app-id.test.js) as a starting point.

tests/index.js.snapshot

@@ -1,3 +1,41 @@
+exports[`action-deprecated-inputs.test.js > stdout 1`] = `
+app-id — Use 'client-id' instead.
+`;
+
+exports[`main-app-id-fallback.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-client-id-precedence.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
 exports[`main-custom-github-api-url.test.js > stdout 1`] = `
 Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
       
@@ -17,6 +55,14 @@ POST /api/v3/app/installations/123456/access_tokens
 {"repositories":["create-github-app-token"]}
 `;
 
+exports[`main-missing-client-and-app-id.test.js > stderr 1`] = `
+Either 'client-id' or 'app-id' input must be set
+`;
+
+exports[`main-missing-client-and-app-id.test.js > stdout 1`] = `
+::error::Either 'client-id' or 'app-id' input must be set
+`;
+
 exports[`main-missing-owner.test.js > stderr 1`] = `
 GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'
 `;

tests/main-app-id-fallback.test.js

@@ -0,0 +1,11 @@
+import { DEFAULT_ENV, test } from "./main.js";
+
+// Verify `main` falls back to `app-id` when `client-id` is not set
+await test(
+  () => {},
+  {
+    ...DEFAULT_ENV,
+    "INPUT_CLIENT-ID": "",
+    "INPUT_APP-ID": "123456",
+  }
+);

tests/main-client-id-precedence.test.js

@@ -0,0 +1,11 @@
+import { DEFAULT_ENV, test } from "./main.js";
+
+// Verify `client-id` takes precedence when both `client-id` and `app-id` are set
+await test(
+  () => {},
+  {
+    ...DEFAULT_ENV,
+    "INPUT_CLIENT-ID": "Iv1.0123456789abcdef",
+    "INPUT_APP-ID": "123456",
+  }
+);

tests/main-missing-client-and-app-id.test.js

@@ -0,0 +1,20 @@
+import { DEFAULT_ENV } from "./main.js";
+
+for (const [key, value] of Object.entries({
+  ...DEFAULT_ENV,
+  "INPUT_CLIENT-ID": "",
+  "INPUT_APP-ID": "",
+})) {
+  process.env[key] = value;
+}
+
+// Log only the error message, not the full stack trace, because the stack
+// trace contains environment-specific paths and ANSI codes that differ
+// between local and CI environments.
+const _error = console.error;
+console.error = (err) => _error(err?.message ?? err);
+
+// Verify `main` exits with an error when neither `client-id` nor `app-id` is set.
+const { default: promise } = await import("../main.js");
+await promise;
+process.exitCode = 0;

tests/main.js

@@ -9,7 +9,7 @@ export const DEFAULT_ENV = {
   // https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
   "INPUT_GITHUB-API-URL": "https://api.github.com",
   "INPUT_SKIP-TOKEN-REVOKE": "false",
-  "INPUT_APP-ID": "123456",
+  "INPUT_CLIENT-ID": "Iv1.0123456789abcdef",
   // This key is invalidated. It’s from https://github.com/octokit/auth-app.js/issues/465#issuecomment-1564998327.
   "INPUT_PRIVATE-KEY": `-----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEA280nfuUM9w00Ib9E2rvZJ6Qu3Ua3IqR34ZlK53vn/Iobn2EL