GitHub now recommends using a GitHub App's Client ID for authentication.
This PR adds a first-class `client-id` input, keeps `app-id` available
for compatibility, and makes the migration path explicit in both runtime
behavior and documentation.
### Action inputs
- Adds a new `client-id` input
- Removes `required` from `app-id`
- Marks `app-id` as deprecated in `action.yml`
### Runtime behavior
- Updates input parsing to prefer `client-id`
- Falls back to `app-id` for existing workflows
- Adds a clear error when neither `client-id` nor `app-id` is provided
### Docs
- Updates the README to recommend `client-id`
- Switches usage examples to `client-id`
- Documents that `app-id` is deprecated and that `client-id` takes
precedence if both are set
### Regression coverage
- Adds a focused test proving a client-ID-shaped value works through the
new `client-id` input
- Adds coverage for the missing-ID validation path
- Updates snapshots to lock in the new metadata and runtime behavior
### Resulting usage
Users can migrate to the new input name directly:
```yaml
- uses: actions/create-github-app-token@v3
with:
client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}
```
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: parkerbxyz <17183625+parkerbxyz@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Bumps [@octokit/openapi](https://github.com/octokit/openapi) from 19.1.0
to 21.0.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/octokit/openapi/releases"><code>@octokit/openapi</code>'s
releases</a>.</em></p>
<blockquote>
<h2>v20.0.0</h2>
<h1><a
href="https://github.com/octokit/openapi/compare/v19.1.0...v20.0.0">20.0.0</a>
(2025-09-16)</h1>
<h3>chore</h3>
<ul>
<li><strong>deps:</strong> update dependency sort-keys to v6 (<a
href="https://redirect.github.com/octokit/openapi/issues/500">#500</a>)
(<a
href="262f87fe98">262f87f</a>)</li>
</ul>
<h3>Features</h3>
<ul>
<li>new Projects v2 endpoints, new code scanning dismissal endpoints,
many other endpoints (<a
href="https://redirect.github.com/octokit/openapi/issues/503">#503</a>)
(<a
href="0b92729176">0b92729</a>)</li>
</ul>
<h3>BREAKING CHANGES</h3>
<ul>
<li><strong>deps:</strong> Remove GHES 3.13</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="262f87fe98"><code>262f87f</code></a>
chore(deps): update dependency sort-keys to v6 (<a
href="https://redirect.github.com/octokit/openapi/issues/500">#500</a>)</li>
<li><a
href="0b92729176"><code>0b92729</code></a>
feat: new Projects v2 endpoints, new code scanning dismissal endpoints,
many ...</li>
<li><a
href="a74dd44fb2"><code>a74dd44</code></a>
chore(deps): update dependency <code>@octokit/core</code> to v7 (<a
href="https://redirect.github.com/octokit/openapi/issues/496">#496</a>)</li>
<li><a
href="3a7a9ea8cc"><code>3a7a9ea</code></a>
build(deps): lock file maintenance (<a
href="https://redirect.github.com/octokit/openapi/issues/498">#498</a>)</li>
<li><a
href="d6be26fc7e"><code>d6be26f</code></a>
ci(action): update actions/checkout action to v5 (<a
href="https://redirect.github.com/octokit/openapi/issues/499">#499</a>)</li>
<li><a
href="6ae358ed6f"><code>6ae358e</code></a>
ci(action): update actions/setup-node action to v5 (<a
href="https://redirect.github.com/octokit/openapi/issues/502">#502</a>)</li>
<li><a
href="f02c5e21ba"><code>f02c5e2</code></a>
ci(action): update gr2m/release-notifier-action action to v2 (<a
href="https://redirect.github.com/octokit/openapi/issues/501">#501</a>)</li>
<li>See full diff in <a
href="https://github.com/octokit/openapi/compare/v19.1.0...v20.0.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
You can trigger a rebase of this PR by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
> **Note**
> Automatic rebases have been disabled on this pull request as it has
been open for over 30 days.
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Parker Brown <17183625+parkerbxyz@users.noreply.github.com>
This PR switches from evaluating values passed to `skip-token-revoke` as
true if they are truthy in JavaScript, to using `getBooleanInput`. This
change ensures that only proper YAML boolean values are recognized,
preventing unintended evaluations to true.
- The definition of `getBooleanInput` is here: definition of
`core#getBooealnInput` is here:
930c890727/packages/core/src/core.ts (L188-L208)
The documentation states, `"If truthy, the token will not be revoked
when the current job is complete"`, so this change could be considered a
breaking change. This means that if there are users who rely on `truthy`
and expect values like whitespace or `"false"` to be evaluated as true
(though this is likely rare), it would be a breaking change.
- `Boolean(" ")` and `Boolean("false")` are both evaluated as true.
Alternatively, it can simply be considered a fix. How to handle this is
up to the maintainer.
Resolves https://github.com/actions/create-github-app-token/issues/216
BREAKING CHANGE: Removed deprecated inputs (`app_id`, `private_key`, `skip_token_revoke`) and made `app-id` and `private-key` required in the action configuration.
- Load `app-permissions` from schema exported by `@octokit/openapi`
- Update documentation in README.md
- Implement the `permissions_*` inputs in the action code
---------
Co-authored-by: Parker Brown <17183625+parkerbxyz@users.noreply.github.com>
Resolves https://github.com/actions/create-github-app-token/issues/106
- Fixes the parsing to cope with whitespace in the input string.
- Allows the input to be comma or newline-separated. (I've done this for
all array-type inputs in my own actions, but I'm happy to remove this if
you only want to support comma-separated.)
- Added tests for parsing comma and newline-separated inputs.
It is convenient to use `https://api.github.com/users/$app_slug[bot]` to
obtain the corresponding account ID later.
Then build `Signed-off-by: $app_slug[bot]
<$id+$app_slug[bot]@users.noreply.github.com>`.
Currently, there is no Linux environment to build test snapshot files
Fixes#57
This PR implements the 3-step plan proposed by @gr2m in
https://github.com/actions/create-github-app-token/issues/57#issuecomment-1751272252:
> 1. Support both input types
> 2. Log a deprecation warning for the old notation
> 3. Add a test for deprecations
Although this PR supports both input formats simultaneously, I opted
_not_ to document the old format in the updated README. That’s a
decision I’m happy to revisit, if y’all would prefer to have
documentation for both the old and new formats.
Fixes https://github.com/actions/create-github-app-token/issues/55
Currently, `actions/create-github-app-token` always/unconditionally
revokes the installation access token in a `post` step, at the
completion of the current job. This prevents tokens from being used in
other jobs.
This PR makes this behavior configurable:
- When the `skip-token-revoke` input is not specified (i.e. by default),
the token is revoked in a `post` step (i.e. the current behavior).
- When the `skip-token-revoke` input is set to a truthy value (e.g.
`"true"`[^1]), the token is not revoked in a `post` step.
This PR adds a test for the `skip-token-revoke: "true"` case.
This is configurable in other app token actions, e.g.
[tibdex/github-app-token](3eb77c7243/README.md (L46-L47))
and
[wow-actions/use-app-token](cd772994fc/README.md (L132)).
[^1]: Note that `"false"` is also truthy: `Boolean("false")` is `true`.
If we think that’ll potentially confuse folks, I can require
`skip-token-revoke` to be set explicitly to `"true"`.
