docs: use APP_ prefix instead of reserved GITHUB_ prefix (#363)

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @actions/create-github-app-token-maintainers

.github/dependabot.yml

@@ -0,0 +1,30 @@
+version: 2
+updates:
+  - package-ecosystem: 'npm'
+    directory: '/'
+    schedule:
+      interval: 'monthly'
+    groups:
+      production-dependencies:
+        dependency-type: 'production'
+        update-types:
+          - minor
+          - patch
+      development-dependencies:
+        dependency-type: 'development'
+        update-types:
+          - minor
+          - patch
+    commit-message:
+      prefix: 'fix'
+      prefix-development: 'build'
+      include: 'scope'
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'monthly'
+    groups:
+      github-actions:
+        update-types:
+          - minor
+          - patch

.github/workflows/release.yml

@@ -1,8 +1,11 @@
 name: release
-"on":
+
+on:
   push:
     branches:
+      - "*.x"
       - main
+      - beta
 
 permissions:
   contents: write
@@ -14,24 +17,24 @@ jobs:
     name: release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      # build local version to create token
+      - uses: actions/checkout@v6
         with:
-          cache: npm
-          node-version: lts/*
+          persist-credentials: false
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version-file: package.json
+
       - run: npm ci
       - run: npm run build
-      - uses: ./ # Uses the action in the root directory
+      - uses: ./
         id: app-token
         with:
-          app_id: ${{ vars.RELEASER_APP_ID }}
-          private_key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }}
-
-      - id: commit
-        uses: stefanzweifel/git-auto-commit-action@v4
-        with:
-          commit_message: "build: update dist files"
-      - run: npm i semantic-release-plugin-github-breaking-version-tag
-      - run: npx semantic-release
+          app-id: ${{ vars.RELEASER_APP_ID }}
+          private-key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }}
+      # install release dependencies and release
+      - run: npm install --no-save @semantic-release/git semantic-release-plugin-github-breaking-version-tag
+      - run: npx semantic-release --debug
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/stale.yml

@@ -0,0 +1,34 @@
+# This workflow warns and then closes issues that have had no activity for a specified amount of time.
+# https://github.com/actions/stale
+
+name: Stale
+
+on:
+  workflow_dispatch:
+  schedule:
+    # 00:00 UTC on Mondays
+    - cron: '0 0 * * 1'
+
+permissions:
+  issues: write
+  pull-requests: write
+
+env:
+  DAYS_BEFORE_STALE: 180
+  DAYS_BEFORE_CLOSE: 60
+  STALE_LABEL: 'stale'
+  STALE_LABEL_URL: ${{github.server_url}}/${{github.repository}}/labels/stale
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v10
+        with:
+          operations-per-run: 100
+          days-before-stale: ${{ env.DAYS_BEFORE_STALE }}
+          days-before-close: ${{ env.DAYS_BEFORE_CLOSE }}
+          stale-issue-label: ${{ env.STALE_LABEL }}
+          stale-pr-label: ${{ env.STALE_LABEL }}
+          stale-issue-message: 'This issue has been marked ${{ env.STALE_LABEL_URL }} because it has been open for ${{ env.DAYS_BEFORE_STALE }} days with no activity. Please close this issue if it is no longer needed. If this issue is still relevant and you would like it to remain open, simply update it within the next ${{ env.DAYS_BEFORE_CLOSE }} days.'
+          stale-pr-message: 'This pull request has been marked ${{ env.STALE_LABEL_URL }} because it has been open for ${{ env.DAYS_BEFORE_STALE }} days with no activity. Please close this pull request if it is no longer needed. If this pull request is still relevant and you would like it to remain open, simply update it within the next ${{ env.DAYS_BEFORE_CLOSE }} days.'

.github/workflows/test.yml

@@ -1,25 +1,81 @@
-on: [push]
+name: test
+
+on:
+  push:
+    branches:
+      - main
+      - beta
+  pull_request:
+  merge_group:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
 
 jobs:
-  demo:
+  integration:
+    name: integration
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
         with:
-          node-version: '16.16'
+          node-version-file: package.json
+
+      - run: npm ci
+      - run: npm test
+
+  end-to-end:
+    name: end-to-end
+    runs-on: ubuntu-latest
+    # do not run from forks, as forks don’t have access to repository secrets
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version-file: package.json
+      - run: npm ci
+      - run: npm run build
+      - uses: ./ # Uses the action in the root directory
+        id: test
+        with:
+          app-id: ${{ vars.TEST_APP_ID }}
+          private-key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
+      - uses: octokit/request-action@v2.x
+        id: get-repository
+        env:
+          GITHUB_TOKEN: ${{ steps.test.outputs.token }}
+        with:
+          route: GET /installation/repositories
+      - run: echo '${{ steps.get-repository.outputs.data }}'
+
+  end-to-end-proxy:
+    name: end-to-end with unreachable proxy
+    runs-on: ubuntu-latest
+    # do not run from forks, as forks don’t have access to repository secrets
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.event.pull_request.base.repo.owner.login
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version-file: package.json
           cache: 'npm'
       - run: npm ci
       - run: npm run build
       - uses: ./ # Uses the action in the root directory
-        id: demo
-        with:
-          app_id: ${{ secrets.APP_ID }}
-          private_key: ${{ secrets.PRIVATE_KEY }}
-      - uses: octokit/request-action@v2.x
-        id: get-repository
+        continue-on-error: true
+        id: test
         env:
-          GITHUB_TOKEN: ${{ steps.demo.outputs.token }}
+          NODE_USE_ENV_PROXY: "1"
+          https_proxy: http://127.0.0.1:9
         with:
-          route: GET /installation/repositories
-      - run: echo '${{ steps.get-repository.outputs.data }}'
+          app-id: ${{ vars.TEST_APP_ID }}
+          private-key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
+      - name: Assert action failed through unreachable proxy
+        run: test "${{ steps.test.outcome }}" = "failure"

.github/workflows/update-permission-inputs.yml

@@ -0,0 +1,42 @@
+name: Update Permission Inputs
+
+on:
+  pull_request:
+    paths:
+      - 'package.json'
+      - 'package-lock.json'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-permission-inputs:
+    runs-on: ubuntu-latest
+    env:
+      COMMIT_MESSAGE: 'feat: update permission inputs'
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version-file: package.json
+      - name: Install dependencies
+        run: npm ci
+      - name: Run permission inputs update script
+        run: node scripts/update-permission-inputs.js
+      - name: Commit changes
+        id: auto-commit
+        uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
+        with:
+          commit_message: ${{ env.COMMIT_MESSAGE }}
+      - name: Update PR title
+        if: github.event_name == 'pull_request' && steps.auto-commit.outputs.changes_detected == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr edit ${{ github.event.pull_request.number }} --title "${{ env.COMMIT_MESSAGE }}"

.gitignore

@@ -1,2 +1,3 @@
-node_modules/
 .env
+coverage
+node_modules/

CONTRIBUTING.md

@@ -0,0 +1,15 @@
+# Contributing
+
+Initial setup
+
+```console
+npm install
+```
+
+Run tests locally
+
+```console
+npm test
+```
+
+Learn more about how the tests work in [tests/README.md](tests/README.md).

README.md

@@ -1,52 +1,41 @@
-# `gr2m/github-app-token-action`
+# Create GitHub App Token
 
-> GitHub Action for creating a GitHub App Installation Access Token
+[![test](https://github.com/actions/create-github-app-token/actions/workflows/test.yml/badge.svg)](https://github.com/actions/create-github-app-token/actions/workflows/test.yml)
+
+GitHub Action for creating a GitHub App installation access token.
 
 ## Usage
 
 In order to use this action, you need to:
 
-1. [Register new GitHub App](https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app)
-2. [Store the App's ID in your repository environment variables](https://docs.github.com/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_ID`)
-3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets?tool=webui#creating-encrypted-secrets-for-a-repository) (example: `PRIVATE_KEY`)
+1. [Register new GitHub App](https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app).
+2. [Store the App's Client ID in your repository variables](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_CLIENT_ID`).
+3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets?tool=webui#creating-secrets-for-a-repository) (example: `APP_PRIVATE_KEY`).
 
-### Minimal usage
+> [!IMPORTANT]
+> An installation access token expires after 1 hour. Please [see this comment](https://github.com/actions/create-github-app-token/issues/121#issuecomment-2043214796) for alternative approaches if you have long-running processes.
+
+### Create a token for the current repository
 
 ```yaml
-on: [issues]
+name: Run tests on staging
+on:
+  push:
+    branches:
+      - main
 
 jobs:
   hello-world:
     runs-on: ubuntu-latest
     steps:
-      - uses: gr2m/github-app-token-action@v1
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
-          app_id: ${{ vars.APP_ID }}
-          private_key: ${{ secrets.PRIVATE_KEY }}
-      - uses: peter-evans/create-or-update-comment@v3
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+      - uses: ./actions/staging-tests
         with:
           token: ${{ steps.app-token.outputs.token }}
-          issue-number: ${{ github.event.issue.number }}
-          body: "Hello, World!"
-```
-
-### Limit the app's permissions and access to repositories
-
-```yaml
-on: [issues]
-
-jobs:
-  with-scoped-token:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: gr2m/github-app-token-action@v1
-        id: app-token
-        with:
-          # required
-          app_id: ${{ vars.APP_ID }}
-          private_key: ${{ secrets.PRIVATE_KEY }}
-      # do something with the token
 ```
 
 ### Use app token with `actions/checkout`
@@ -58,52 +47,360 @@ jobs:
   auto-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: gr2m/github-app-token-action@v1
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           # required
-          app_id: ${{ vars.APP_ID }}
-          private_key: ${{ secrets.PRIVATE_KEY }}
-      - uses: actions/checkout@v3
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v6
         with:
           token: ${{ steps.app-token.outputs.token }}
           ref: ${{ github.head_ref }}
           # Make sure the value of GITHUB_TOKEN will not be persisted in repo's config
           persist-credentials: false
-      - uses: creyD/prettier_action@v4.3
+      - uses: creyD/prettier_action@v6
         with:
           github_token: ${{ steps.app-token.outputs.token }}
 ```
 
+### Create a git committer string for an app installation
+
+```yaml
+on: [pull_request]
+
+jobs:
+  auto-format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          # required
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - id: committer
+        run: echo "string=${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"  >> "$GITHUB_OUTPUT"
+      - run: echo "committer string is ${{ steps.committer.outputs.string }}"
+```
+
+### Configure git CLI for an app's bot user
+
+```yaml
+on: [pull_request]
+
+jobs:
+  auto-format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          # required
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+      # git commands like commit work using the bot user
+      - run: |
+          git add .
+          git commit -m "Auto-generated changes"
+          git push
+```
+
+> [!TIP]
+> The `<BOT USER ID>` is the numeric user ID of the app's bot user, which can be found under `https://api.github.com/users/<app-slug>%5Bbot%5D`.
+>
+> For example, we can check at `https://api.github.com/users/dependabot[bot]` to see the user ID of Dependabot is 49699333.
+>
+> Alternatively, you can use the [octokit/request-action](https://github.com/octokit/request-action) to get the ID.
+
+### Create a token for all repositories in the current owner's installation
+
+```yaml
+on: [workflow_dispatch]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+      - uses: peter-evans/create-or-update-comment@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          issue-number: ${{ github.event.issue.number }}
+          body: "Hello, World!"
+```
+
+### Create a token for multiple repositories in the current owner's installation
+
+```yaml
+on: [issues]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: |
+            repo1
+            repo2
+      - uses: peter-evans/create-or-update-comment@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          issue-number: ${{ github.event.issue.number }}
+          body: "Hello, World!"
+```
+
+### Create a token for all repositories in another owner's installation
+
+```yaml
+on: [issues]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: another-owner
+      - uses: peter-evans/create-or-update-comment@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          issue-number: ${{ github.event.issue.number }}
+          body: "Hello, World!"
+```
+
+### Create a token with specific permissions
+
+> [!NOTE]
+> Selected permissions must be granted to the installation of the specified app and repository owner. Setting a permission that the installation does not have will result in an error.
+
+```yaml
+on: [issues]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          permission-issues: write
+      - uses: peter-evans/create-or-update-comment@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          issue-number: ${{ github.event.issue.number }}
+          body: "Hello, World!"
+```
+
+### Create tokens for multiple user or organization accounts
+
+You can use a matrix strategy to create tokens for multiple user or organization accounts.
+
+> [!NOTE]
+> See [this documentation](https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings) for information on using multiline strings in workflows.
+
+```yaml
+on: [workflow_dispatch]
+
+jobs:
+  set-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set.outputs.matrix }}
+    steps:
+      - id: set
+        run: echo 'matrix=[{"owner":"owner1"},{"owner":"owner2","repos":["repo1"]}]' >>"$GITHUB_OUTPUT"
+
+  use-matrix:
+    name: "@${{ matrix.owners-and-repos.owner }} installation"
+    needs: [set-matrix]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        owners-and-repos: ${{ fromJson(needs.set-matrix.outputs.matrix) }}
+
+    steps:
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: ${{ matrix.owners-and-repos.owner }}
+          repositories: ${{ join(matrix.owners-and-repos.repos) }}
+      - uses: octokit/request-action@v2.x
+        id: get-installation-repositories
+        with:
+          route: GET /installation/repositories
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+      - run: echo "$MULTILINE_JSON_STRING"
+        env:
+          MULTILINE_JSON_STRING: ${{ steps.get-installation-repositories.outputs.data }}
+```
+
+### Run the workflow in a github.com repository against an organization in GitHub Enterprise Server
+
+```yaml
+on: [push]
+
+jobs:
+  create_issue:
+    runs-on: self-hosted
+
+    steps:
+      - name: Create GitHub App token
+        id: create_token
+        uses: actions/create-github-app-token@v3
+        with:
+          client-id: ${{ vars.GHES_APP_CLIENT_ID }}
+          private-key: ${{ secrets.GHES_APP_PRIVATE_KEY }}
+          owner: ${{ vars.GHES_INSTALLATION_ORG }}
+          github-api-url: ${{ vars.GITHUB_API_URL }}
+
+      - name: Create issue
+        uses: octokit/request-action@v2.x
+        with:
+          route: POST /repos/${{ github.repository }}/issues
+          title: "New issue from workflow"
+          body: "This is a new issue created from a GitHub Action workflow."
+        env:
+          GITHUB_TOKEN: ${{ steps.create_token.outputs.token }}
+```
+
+### Proxy support
+
+This action relies on Node.js native proxy support.
+
+If you set `HTTP_PROXY` or `HTTPS_PROXY`, also set `NODE_USE_ENV_PROXY: "1"` on the action step so Node.js honors those variables. If you need proxy bypass rules, set `NO_PROXY` alongside them.
+
+```yaml
+- uses: actions/create-github-app-token@v3
+  id: app-token
+  env:
+    HTTPS_PROXY: http://proxy.example.com:8080
+    NO_PROXY: github.example.com
+    NODE_USE_ENV_PROXY: "1"
+  with:
+    client-id: ${{ vars.APP_CLIENT_ID }}
+    private-key: ${{ secrets.APP_PRIVATE_KEY }}
+```
+
 ## Inputs
 
-### `app_id`
+### `client-id` or `app-id`
 
-**Required:** GitHub app ID.
+**Required:** GitHub App Client ID.
 
-### `private_key`
+> [!NOTE]
+> The legacy `app-id` input is also accepted, but `client-id` is recommended.
 
-**Required:** GitHub app private key.
+### `private-key`
+
+**Required:** GitHub App private key. Escaped newlines (`\\n`) will be automatically replaced with actual newlines.
+
+Some other actions may require the private key to be Base64 encoded. To avoid recreating a new secret, it can be decoded on the fly, but it needs to be managed securely. Here is an example of how this can be achieved:
+
+```yaml
+steps:
+  - name: Decode the GitHub App Private Key
+    id: decode
+    run: |
+      private_key=$(echo "${{ secrets.APP_PRIVATE_KEY }}" | base64 -d | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2) &> /dev/null
+      echo "::add-mask::$private_key"
+      echo "private-key=$private_key" >> "$GITHUB_OUTPUT"
+  - name: Generate GitHub App Token
+    id: app-token
+    uses: actions/create-github-app-token@v3
+    with:
+      client-id: ${{ vars.APP_CLIENT_ID }}
+      private-key: ${{ steps.decode.outputs.private-key }}
+```
+
+### `owner`
+
+**Optional:** The owner of the GitHub App installation. If empty, defaults to the current repository owner.
+
+### `repositories`
+
+**Optional:** Comma or newline-separated list of repositories to grant access to.
+
+> [!NOTE]
+> If `owner` is set and `repositories` is empty, access will be scoped to all repositories in the provided repository owner's installation. If `owner` and `repositories` are empty, access will be scoped to only the current repository.
+
+### `permission-<permission name>`
+
+**Optional:** The permissions to grant to the token. By default, the token inherits all of the installation's permissions. We recommend to explicitly list the permissions that are required for a use case. This follows GitHub's own recommendation to [control permissions of `GITHUB_TOKEN` in workflows](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token). The documentation also lists all available permissions, just prefix the permission key with `permission-` (e.g., `pull-requests` → `permission-pull-requests`).
+
+The reason we define one `permision-<permission name>` input per permission is to benefit from type intelligence and input validation built into GitHub's action runner.
+
+### `skip-token-revoke`
+
+**Optional:** If true, the token will not be revoked when the current job is complete.
+
+### `github-api-url`
+
+**Optional:** The URL of the GitHub REST API. Defaults to the URL of the GitHub Rest API where the workflow is run from.
 
 ## Outputs
 
 ### `token`
 
-GitHub installation access token.
+GitHub App installation access token.
+
+### `installation-id`
+
+GitHub App installation ID.
+
+### `app-slug`
+
+GitHub App slug.
 
 ## How it works
 
 The action creates an installation access token using [the `POST /app/installations/{installation_id}/access_tokens` endpoint](https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app). By default,
 
-1. The token is scoped to the current repository
-2. The token inherits all the installation's permissions
-3. The token is set as output `token` which can be used in subsequent steps
-4. The token is revoked in the `post` step of the action, which means it cannot be passed to another job.
-5. The token is masked, it cannot be logged accidentally. That is not a feature by the action, but by the GitHub Actions runner itself, due to the specific format of GitHub tokens.
+1. The token is scoped to the current repository or `repositories` if set.
+2. The token inherits all the installation's permissions.
+3. The token is set as output `token` which can be used in subsequent steps.
+4. Unless the `skip-token-revoke` input is set to true, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
+5. The token is masked, it cannot be logged accidentally.
 
-> **Note**
+> [!NOTE]
 > Installation permissions can differ from the app's permissions they belong to. Installation permissions are set when an app is installed on an account. When the app adds more permissions after the installation, an account administrator will have to approve the new permissions before they are set on the installation.
 
+## Contributing
+
+[CONTRIBUTING.md](CONTRIBUTING.md)
+
 ## License
 
 [MIT](LICENSE)

action.yml

@@ -1,17 +1,153 @@
-name: 'github-app-token'
-description: ''
-author: 'Gregor Martynus and Parker Brown'
+name: "Create GitHub App Token"
+description: "GitHub Action for creating a GitHub App installation access token"
+author: "Gregor Martynus and Parker Brown"
+branding:
+  icon: "lock"
+  color: "gray-dark"
 inputs:
-  app_id:
-    description: 'GitHub app ID'
-    required: true
-  private_key:
-    description: 'GitHub app private key'
+  client-id:
+    description: "GitHub App Client ID"
+    required: false
+  app-id:
+    description: "GitHub App ID"
+    required: false
+    deprecationMessage: "Use 'client-id' instead."
+  private-key:
+    description: "GitHub App private key"
     required: true
+  owner:
+    description: "The owner of the GitHub App installation (defaults to current repository owner)"
+    required: false
+  repositories:
+    description: "Comma or newline-separated list of repositories to install the GitHub App on (defaults to current repository if owner is unset)"
+    required: false
+  skip-token-revoke:
+    description: "If true, the token will not be revoked when the current job is complete"
+    required: false
+    default: "false"
+  # Make GitHub API configurable to support non-GitHub Cloud use cases
+  # see https://github.com/actions/create-github-app-token/issues/77
+  github-api-url:
+    description: The URL of the GitHub REST API.
+    default: ${{ github.api_url }}
+  # <START GENERATED PERMISSIONS INPUTS>
+  permission-actions:
+    description: "The level of permission to grant the access token for GitHub Actions workflows, workflow runs, and artifacts. Can be set to 'read' or 'write'."
+  permission-administration:
+    description: "The level of permission to grant the access token for repository creation, deletion, settings, teams, and collaborators creation. Can be set to 'read' or 'write'."
+  permission-artifact-metadata:
+    description: "The level of permission to grant the access token to create and retrieve build artifact metadata records. Can be set to 'read' or 'write'."
+  permission-attestations:
+    description: "The level of permission to create and retrieve the access token for repository attestations. Can be set to 'read' or 'write'."
+  permission-checks:
+    description: "The level of permission to grant the access token for checks on code. Can be set to 'read' or 'write'."
+  permission-codespaces:
+    description: "The level of permission to grant the access token to create, edit, delete, and list Codespaces. Can be set to 'read' or 'write'."
+  permission-contents:
+    description: "The level of permission to grant the access token for repository contents, commits, branches, downloads, releases, and merges. Can be set to 'read' or 'write'."
+  permission-custom-properties-for-organizations:
+    description: "The level of permission to grant the access token to view and edit custom properties for an organization, when allowed by the property. Can be set to 'read' or 'write'."
+  permission-dependabot-secrets:
+    description: "The level of permission to grant the access token to manage Dependabot secrets. Can be set to 'read' or 'write'."
+  permission-deployments:
+    description: "The level of permission to grant the access token for deployments and deployment statuses. Can be set to 'read' or 'write'."
+  permission-discussions:
+    description: "The level of permission to grant the access token for discussions and related comments and labels. Can be set to 'read' or 'write'."
+  permission-email-addresses:
+    description: "The level of permission to grant the access token to manage the email addresses belonging to a user. Can be set to 'read' or 'write'."
+  permission-enterprise-custom-properties-for-organizations:
+    description: "The level of permission to grant the access token for organization custom properties management at the enterprise level. Can be set to 'read', 'write', or 'admin'."
+  permission-environments:
+    description: "The level of permission to grant the access token for managing repository environments. Can be set to 'read' or 'write'."
+  permission-followers:
+    description: "The level of permission to grant the access token to manage the followers belonging to a user. Can be set to 'read' or 'write'."
+  permission-git-ssh-keys:
+    description: "The level of permission to grant the access token to manage git SSH keys. Can be set to 'read' or 'write'."
+  permission-gpg-keys:
+    description: "The level of permission to grant the access token to view and manage GPG keys belonging to a user. Can be set to 'read' or 'write'."
+  permission-interaction-limits:
+    description: "The level of permission to grant the access token to view and manage interaction limits on a repository. Can be set to 'read' or 'write'."
+  permission-issues:
+    description: "The level of permission to grant the access token for issues and related comments, assignees, labels, and milestones. Can be set to 'read' or 'write'."
+  permission-members:
+    description: "The level of permission to grant the access token for organization teams and members. Can be set to 'read' or 'write'."
+  permission-merge-queues:
+    description: "The level of permission to grant the access token to manage the merge queues for a repository. Can be set to 'read' or 'write'."
+  permission-metadata:
+    description: "The level of permission to grant the access token to search repositories, list collaborators, and access repository metadata. Can be set to 'read' or 'write'."
+  permission-organization-administration:
+    description: "The level of permission to grant the access token to manage access to an organization. Can be set to 'read' or 'write'."
+  permission-organization-announcement-banners:
+    description: "The level of permission to grant the access token to view and manage announcement banners for an organization. Can be set to 'read' or 'write'."
+  permission-organization-copilot-seat-management:
+    description: "The level of permission to grant the access token for managing access to GitHub Copilot for members of an organization with a Copilot Business subscription. This property is in public preview and is subject to change. Can be set to 'write'."
+  permission-organization-custom-org-roles:
+    description: "The level of permission to grant the access token for custom organization roles management. Can be set to 'read' or 'write'."
+  permission-organization-custom-properties:
+    description: "The level of permission to grant the access token for repository custom properties management at the organization level. Can be set to 'read', 'write', or 'admin'."
+  permission-organization-custom-roles:
+    description: "The level of permission to grant the access token for custom repository roles management. Can be set to 'read' or 'write'."
+  permission-organization-events:
+    description: "The level of permission to grant the access token to view events triggered by an activity in an organization. Can be set to 'read'."
+  permission-organization-hooks:
+    description: "The level of permission to grant the access token to manage the post-receive hooks for an organization. Can be set to 'read' or 'write'."
+  permission-organization-packages:
+    description: "The level of permission to grant the access token for organization packages published to GitHub Packages. Can be set to 'read' or 'write'."
+  permission-organization-personal-access-token-requests:
+    description: "The level of permission to grant the access token for viewing and managing fine-grained personal access tokens that have been approved by an organization. Can be set to 'read' or 'write'."
+  permission-organization-personal-access-tokens:
+    description: "The level of permission to grant the access token for viewing and managing fine-grained personal access token requests to an organization. Can be set to 'read' or 'write'."
+  permission-organization-plan:
+    description: "The level of permission to grant the access token for viewing an organization's plan. Can be set to 'read'."
+  permission-organization-projects:
+    description: "The level of permission to grant the access token to manage organization projects and projects public preview (where available). Can be set to 'read', 'write', or 'admin'."
+  permission-organization-secrets:
+    description: "The level of permission to grant the access token to manage organization secrets. Can be set to 'read' or 'write'."
+  permission-organization-self-hosted-runners:
+    description: "The level of permission to grant the access token to view and manage GitHub Actions self-hosted runners available to an organization. Can be set to 'read' or 'write'."
+  permission-organization-user-blocking:
+    description: "The level of permission to grant the access token to view and manage users blocked by the organization. Can be set to 'read' or 'write'."
+  permission-packages:
+    description: "The level of permission to grant the access token for packages published to GitHub Packages. Can be set to 'read' or 'write'."
+  permission-pages:
+    description: "The level of permission to grant the access token to retrieve Pages statuses, configuration, and builds, as well as create new builds. Can be set to 'read' or 'write'."
+  permission-profile:
+    description: "The level of permission to grant the access token to manage the profile settings belonging to a user. Can be set to 'write'."
+  permission-pull-requests:
+    description: "The level of permission to grant the access token for pull requests and related comments, assignees, labels, milestones, and merges. Can be set to 'read' or 'write'."
+  permission-repository-custom-properties:
+    description: "The level of permission to grant the access token to view and edit custom properties for a repository, when allowed by the property. Can be set to 'read' or 'write'."
+  permission-repository-hooks:
+    description: "The level of permission to grant the access token to manage the post-receive hooks for a repository. Can be set to 'read' or 'write'."
+  permission-repository-projects:
+    description: "The level of permission to grant the access token to manage repository projects, columns, and cards. Can be set to 'read', 'write', or 'admin'."
+  permission-secret-scanning-alerts:
+    description: "The level of permission to grant the access token to view and manage secret scanning alerts. Can be set to 'read' or 'write'."
+  permission-secrets:
+    description: "The level of permission to grant the access token to manage repository secrets. Can be set to 'read' or 'write'."
+  permission-security-events:
+    description: "The level of permission to grant the access token to view and manage security events like code scanning alerts. Can be set to 'read' or 'write'."
+  permission-single-file:
+    description: "The level of permission to grant the access token to manage just a single file. Can be set to 'read' or 'write'."
+  permission-starring:
+    description: "The level of permission to grant the access token to list and manage repositories a user is starring. Can be set to 'read' or 'write'."
+  permission-statuses:
+    description: "The level of permission to grant the access token for commit statuses. Can be set to 'read' or 'write'."
+  permission-team-discussions:
+    description: "The level of permission to grant the access token to manage team discussions and related comments. Can be set to 'read' or 'write'."
+  permission-vulnerability-alerts:
+    description: "The level of permission to grant the access token to manage Dependabot alerts. Can be set to 'read' or 'write'."
+  permission-workflows:
+    description: "The level of permission to grant the access token to update GitHub Actions workflow files. Can be set to 'write'."
+  # <END GENERATED PERMISSIONS INPUTS>
 outputs:
   token:
-    description: 'GitHub installation access token'
+    description: "GitHub installation access token"
+  installation-id:
+    description: "GitHub App installation ID"
+  app-slug:
+    description: "GitHub App slug"
 runs:
-  using: 'node16'
-  main: 'dist/main.cjs'
-  post: 'dist/post.cjs'
+  using: "node24"
+  main: "dist/main.cjs"
+  post: "dist/post.cjs"

lib/get-permissions-from-inputs.js

@@ -0,0 +1,27 @@
+/**
+ * Finds all permissions passed via `permision-*` inputs and turns them into an object.
+ *
+ * @see https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#inputs
+ * @param {NodeJS.ProcessEnv} env
+ * @returns {undefined | Record<string, string>}
+ */
+export function getPermissionsFromInputs(env) {
+  return Object.entries(env).reduce((permissions, [key, value]) => {
+    if (!key.startsWith("INPUT_PERMISSION-")) return permissions;
+    if (!value) return permissions;
+
+    const permission = key.slice("INPUT_PERMISSION-".length).toLowerCase()
+      .replaceAll(/-/g, "_");
+
+    // Inherit app permissions if no permissions inputs are set
+    if (permissions === undefined) {
+      return { [permission]: value };
+    }
+
+    return {
+      // @ts-expect-error - needs to be typed correctly
+      ...permissions,
+      [permission]: value,
+    };
+  }, undefined);
+}

lib/main.js

@@ -1,59 +1,183 @@
+import pRetry from "p-retry";
 // @ts-check
 
-import core from "@actions/core";
-import { createAppAuth } from "@octokit/auth-app";
-import { request } from "@octokit/request";
-
 /**
- * @param {string} appId
+ * @param {string} clientId
  * @param {string} privateKey
- * @param {string} repository
- * @param {core} core
- * @param {createAppAuth} createAppAuth
- * @param {request} request
+ * @param {string} owner
+ * @param {string[]} repositories
+ * @param {undefined | Record<string, string>} permissions
+ * @param {import("@actions/core")} core
+ * @param {import("@octokit/auth-app").createAppAuth} createAppAuth
+ * @param {import("@octokit/request").request} request
+ * @param {boolean} skipTokenRevoke
  */
 export async function main(
-  appId,
+  clientId,
   privateKey,
-  repository,
+  owner,
+  repositories,
+  permissions,
   core,
   createAppAuth,
-  request
+  request,
+  skipTokenRevoke
 ) {
-  // Get owner and repo name from GITHUB_REPOSITORY
-  const [owner, repo] = repository.split("/");
+  let parsedOwner = "";
+  let parsedRepositoryNames = [];
+
+  // If neither owner nor repositories are set, default to current repository
+  if (!owner && repositories.length === 0) {
+    const [owner, repo] = String(process.env.GITHUB_REPOSITORY).split("/");
+    parsedOwner = owner;
+    parsedRepositoryNames = [repo];
+
+    core.info(
+      `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (${owner}/${repo}).`
+    );
+  }
+
+  // If only an owner is set, default to all repositories from that owner
+  if (owner && repositories.length === 0) {
+    parsedOwner = owner;
+
+    core.info(
+      `Input 'repositories' is not set. Creating token for all repositories owned by ${owner}.`
+    );
+  }
+
+  // If repositories are set, but no owner, default to `GITHUB_REPOSITORY_OWNER`
+  if (!owner && repositories.length > 0) {
+    parsedOwner = String(process.env.GITHUB_REPOSITORY_OWNER);
+    parsedRepositoryNames = repositories;
+
+    core.info(
+      `No 'owner' input provided. Using default owner '${parsedOwner}' to create token for the following repositories:${repositories
+        .map((repo) => `\n- ${parsedOwner}/${repo}`)
+        .join("")}`
+    );
+  }
+
+  // If both owner and repositories are set, use those values
+  if (owner && repositories.length > 0) {
+    parsedOwner = owner;
+    parsedRepositoryNames = repositories;
+
+    core.info(
+      `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      ${repositories.map((repo) => `\n- ${parsedOwner}/${repo}`).join("")}`
+    );
+  }
 
   const auth = createAppAuth({
-    appId,
+    appId: clientId,
     privateKey,
+    request,
   });
 
-  const appAuthentication = await auth({
-    type: "app",
-  });
+  let authentication, installationId, appSlug;
+  // If at least one repository is set, get installation ID from that repository
 
-  // Get the installation ID
-  // https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
-  const { data: installation } = await request(
-    "GET /repos/{owner}/{repo}/installation",
-    {
-      owner,
-      repo,
-      headers: {
-        authorization: `bearer ${appAuthentication.token}`,
-      },
-    }
-  );
+  if (parsedRepositoryNames.length > 0) {
+    ({ authentication, installationId, appSlug } = await pRetry(
+      () =>
+        getTokenFromRepository(
+          request,
+          auth,
+          parsedOwner,
+          parsedRepositoryNames,
+          permissions
+        ),
+      {
+        shouldRetry: ({ error }) => error.status >= 500,
+        onFailedAttempt: (context) => {
+          core.info(
+            `Failed to create token for "${parsedRepositoryNames.join(
+              ","
+            )}" (attempt ${context.attemptNumber}): ${context.error.message}`
+          );
+        },
+        retries: 3,
+      }
+    ));
+  } else {
+    // Otherwise get the installation for the owner, which can either be an organization or a user account
+    ({ authentication, installationId, appSlug } = await pRetry(
+      () => getTokenFromOwner(request, auth, parsedOwner, permissions),
+      {
+        onFailedAttempt: (context) => {
+          core.info(
+            `Failed to create token for "${parsedOwner}" (attempt ${context.attemptNumber}): ${context.error.message}`
+          );
+        },
+        retries: 3,
+      }
+    ));
+  }
 
-  // Create a new installation token
-  const authentication = await auth({
-    type: "installation",
-    installationId: installation.id,
-    repositoryNames: [repo],
-  });
+  // Register the token with the runner as a secret to ensure it is masked in logs
+  core.setSecret(authentication.token);
 
   core.setOutput("token", authentication.token);
+  core.setOutput("installation-id", installationId);
+  core.setOutput("app-slug", appSlug);
 
   // Make token accessible to post function (so we can invalidate it)
-  core.saveState("token", authentication.token);
+  if (!skipTokenRevoke) {
+    core.saveState("token", authentication.token);
+    core.saveState("expiresAt", authentication.expiresAt);
+  }
+}
+
+async function getTokenFromOwner(request, auth, parsedOwner, permissions) {
+  // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app
+  // This endpoint works for both users and organizations
+  const response = await request("GET /users/{username}/installation", {
+    username: parsedOwner,
+    request: {
+      hook: auth.hook,
+    },
+  });
+
+  // Get token for for all repositories of the given installation
+  const authentication = await auth({
+    type: "installation",
+    installationId: response.data.id,
+    permissions,
+  });
+
+  const installationId = response.data.id;
+  const appSlug = response.data["app_slug"];
+
+  return { authentication, installationId, appSlug };
+}
+
+async function getTokenFromRepository(
+  request,
+  auth,
+  parsedOwner,
+  parsedRepositoryNames,
+  permissions
+) {
+  // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
+  const response = await request("GET /repos/{owner}/{repo}/installation", {
+    owner: parsedOwner,
+    repo: parsedRepositoryNames[0],
+    request: {
+      hook: auth.hook,
+    },
+  });
+
+  // Get token for given repositories
+  const authentication = await auth({
+    type: "installation",
+    installationId: response.data.id,
+    repositoryNames: parsedRepositoryNames,
+    permissions,
+  });
+
+  const installationId = response.data.id;
+  const appSlug = response.data["app_slug"];
+
+  return { authentication, installationId, appSlug };
 }

lib/post.js

@@ -1,20 +1,48 @@
 // @ts-check
 
-import core from "@actions/core";
-import { request } from "@octokit/request";
-
 /**
- * @param {core} core
- * @param {request} request
+ * @param {import("@actions/core")} core
+ * @param {import("@octokit/request").request} request
  */
 export async function post(core, request) {
+  const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
+
+  if (skipTokenRevoke) {
+    core.info("Token revocation was skipped");
+    return;
+  }
+
   const token = core.getState("token");
 
-  await request("DELETE /installation/token", {
-    headers: {
-      authorization: `token ${token}`,
-    },
-  });
+  if (!token) {
+    core.info("Token is not set");
+    return;
+  }
 
-  core.info("Token revoked");
+  const expiresAt = core.getState("expiresAt");
+  if (expiresAt && tokenExpiresIn(expiresAt) < 0) {
+    core.info("Token expired, skipping token revocation");
+    return;
+  }
+
+  try {
+    await request("DELETE /installation/token", {
+      headers: {
+        authorization: `token ${token}`,
+      },
+    });
+    core.info("Token revoked");
+  } catch (error) {
+    core.warning(`Token revocation failed: ${error.message}`);
+  }
+}
+
+/**
+ * @param {string} expiresAt
+ */
+function tokenExpiresIn(expiresAt) {
+  const now = new Date();
+  const expiresAtDate = new Date(expiresAt);
+
+  return Math.round((expiresAtDate.getTime() - now.getTime()) / 1000);
 }

lib/request.js

@@ -0,0 +1,36 @@
+import * as core from "@actions/core";
+import { request } from "@octokit/request";
+
+// Get the GitHub API URL from the action input and remove any trailing slash
+const baseUrl = core.getInput("github-api-url").replace(/\/$/, "");
+
+const proxyEnvironmentKeys = [
+  "https_proxy",
+  "HTTPS_PROXY",
+  "http_proxy",
+  "HTTP_PROXY",
+];
+
+function proxyEnvironmentConfigured() {
+  return proxyEnvironmentKeys.some((key) => process.env[key]);
+}
+
+function nativeProxySupportEnabled() {
+  return process.env.NODE_USE_ENV_PROXY === "1";
+}
+
+export function ensureNativeProxySupport() {
+  if (!proxyEnvironmentConfigured() || nativeProxySupportEnabled()) {
+    return;
+  }
+
+  throw new Error(
+    "A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.",
+  );
+}
+
+// Configure the default settings for GitHub API requests
+export default request.defaults({
+  headers: { "user-agent": "actions/create-github-app-token" },
+  baseUrl,
+});

main.js

@@ -1,23 +1,55 @@
 // @ts-check
 
-import core from "@actions/core";
+import * as core from "@actions/core";
 import { createAppAuth } from "@octokit/auth-app";
-import { request } from "@octokit/request";
 
+import { getPermissionsFromInputs } from "./lib/get-permissions-from-inputs.js";
 import { main } from "./lib/main.js";
+import request, { ensureNativeProxySupport } from "./lib/request.js";
 
 if (!process.env.GITHUB_REPOSITORY) {
   throw new Error("GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'");
 }
 
-const appId = core.getInput("app_id");
-const privateKey = core.getInput("private_key");
+if (!process.env.GITHUB_REPOSITORY_OWNER) {
+  throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
+}
 
-const repository = process.env.GITHUB_REPOSITORY;
+async function run() {
+  ensureNativeProxySupport();
 
-main(appId, privateKey, repository, core, createAppAuth, request).catch(
-  (error) => {
-    console.error(error);
-    core.setFailed(error.message);
+  const clientId = core.getInput("client-id") || core.getInput("app-id");
+  if (!clientId) {
+    throw new Error("The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.");
   }
-);
+  const privateKey = core.getInput("private-key");
+  const owner = core.getInput("owner");
+  const repositories = core
+    .getInput("repositories")
+    .split(/[\n,]+/)
+    .map((s) => s.trim())
+    .filter((x) => x !== "");
+
+  const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
+
+  const permissions = getPermissionsFromInputs(process.env);
+
+  return main(
+    clientId,
+    privateKey,
+    owner,
+    repositories,
+    permissions,
+    core,
+    createAppAuth,
+    request,
+    skipTokenRevoke,
+  );
+}
+
+// Export promise for testing
+export default run().catch((error) => {
+  /* c8 ignore next 3 */
+  console.error(error);
+  core.setFailed(error.message);
+});

package.json

@@ -1,27 +1,60 @@
 {
-  "name": "app-token-action",
+  "name": "create-github-app-token",
   "private": true,
   "type": "module",
-  "version": "1.0.0",
+  "version": "3.1.1",
   "description": "GitHub Action for creating a GitHub App Installation Access Token",
+  "engines": {
+    "node": ">=24.4.0"
+  },
+  "packageManager": "npm@10.9.4",
   "scripts": {
-    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node16.16",
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --packages=bundle",
+    "test": "c8 --100 node --test tests/index.js",
+    "coverage": "c8 report --reporter html",
+    "postcoverage": "open-cli coverage/index.html"
   },
   "license": "MIT",
   "dependencies": {
-    "@actions/core": "^1.10.0",
-    "@octokit/auth-app": "^4.0.13",
-    "@octokit/request": "^6.2.5"
+    "@actions/core": "^3.0.0",
+    "@octokit/auth-app": "^8.2.0",
+    "@octokit/request": "^10.0.8",
+    "p-retry": "^8.0.0"
   },
   "devDependencies": {
-    "dotenv": "^16.0.3",
-    "esbuild": "^0.17.19"
+    "@octokit/openapi": "^22.0.0",
+    "c8": "^11.0.0",
+    "esbuild": "^0.27.4",
+    "open-cli": "^9.0.0",
+    "undici": "^7.24.6",
+    "yaml": "^2.8.3"
   },
   "release": {
     "branches": [
       "+([0-9]).x",
-      "main"
+      "main",
+      {
+        "name": "beta",
+        "prerelease": true
+      }
+    ],
+    "plugins": [
+      "@semantic-release/commit-analyzer",
+      "@semantic-release/release-notes-generator",
+      "@semantic-release/github",
+      "@semantic-release/npm",
+      "semantic-release-plugin-github-breaking-version-tag",
+      [
+        "@semantic-release/git",
+        {
+          "assets": [
+            "package.json",
+            "package-lock.json",
+            "dist/*"
+          ],
+          "message": "build(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+        }
+      ]
     ]
   }
 }

post.js

@@ -1,13 +1,18 @@
 // @ts-check
 
-import core from "@actions/core";
-import { request } from "@octokit/request";
+import * as core from "@actions/core";
 
 import { post } from "./lib/post.js";
+import request, { ensureNativeProxySupport } from "./lib/request.js";
 
-post(core, request).catch(
-  (error) => {
-    console.error(error);
-    core.setFailed(error.message);
-  }
-);
+async function run() {
+  ensureNativeProxySupport();
+
+  return post(core, request);
+}
+
+run().catch((error) => {
+  /* c8 ignore next 3 */
+  console.error(error);
+  core.setFailed(error.message);
+});

scripts/generated/app-permissions.json

@@ -0,0 +1,444 @@
+{
+  "title": "App Permissions",
+  "type": "object",
+  "description": "The permissions granted to the user access token.",
+  "properties": {
+    "actions": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for GitHub Actions workflows, workflow runs, and artifacts.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "administration": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for repository creation, deletion, settings, teams, and collaborators creation.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "artifact_metadata": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to create and retrieve build artifact metadata records.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "attestations": {
+      "type": "string",
+      "description": "The level of permission to create and retrieve the access token for repository attestations.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "checks": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for checks on code.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "codespaces": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to create, edit, delete, and list Codespaces.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "contents": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for repository contents, commits, branches, downloads, releases, and merges.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "dependabot_secrets": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage Dependabot secrets.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "deployments": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for deployments and deployment statuses.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "discussions": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for discussions and related comments and labels.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "environments": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for managing repository environments.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "issues": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for issues and related comments, assignees, labels, and milestones.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "merge_queues": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage the merge queues for a repository.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "metadata": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to search repositories, list collaborators, and access repository metadata.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "packages": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for packages published to GitHub Packages.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "pages": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to retrieve Pages statuses, configuration, and builds, as well as create new builds.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "pull_requests": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for pull requests and related comments, assignees, labels, milestones, and merges.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "repository_custom_properties": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to view and edit custom properties for a repository, when allowed by the property.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "repository_hooks": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage the post-receive hooks for a repository.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "repository_projects": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage repository projects, columns, and cards.",
+      "enum": [
+        "read",
+        "write",
+        "admin"
+      ]
+    },
+    "secret_scanning_alerts": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to view and manage secret scanning alerts.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "secrets": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage repository secrets.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "security_events": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to view and manage security events like code scanning alerts.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "single_file": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage just a single file.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "statuses": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for commit statuses.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "vulnerability_alerts": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage Dependabot alerts.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "workflows": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to update GitHub Actions workflow files.",
+      "enum": [
+        "write"
+      ]
+    },
+    "custom_properties_for_organizations": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to view and edit custom properties for an organization, when allowed by the property.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "members": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for organization teams and members.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "organization_administration": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage access to an organization.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "organization_custom_roles": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for custom repository roles management.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "organization_custom_org_roles": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for custom organization roles management.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "organization_custom_properties": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for repository custom properties management at the organization level.",
+      "enum": [
+        "read",
+        "write",
+        "admin"
+      ]
+    },
+    "organization_copilot_seat_management": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for managing access to GitHub Copilot for members of an organization with a Copilot Business subscription. This property is in public preview and is subject to change.",
+      "enum": [
+        "write"
+      ]
+    },
+    "organization_announcement_banners": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to view and manage announcement banners for an organization.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "organization_events": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to view events triggered by an activity in an organization.",
+      "enum": [
+        "read"
+      ]
+    },
+    "organization_hooks": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage the post-receive hooks for an organization.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "organization_personal_access_tokens": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for viewing and managing fine-grained personal access token requests to an organization.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "organization_personal_access_token_requests": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for viewing and managing fine-grained personal access tokens that have been approved by an organization.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "organization_plan": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for viewing an organization's plan.",
+      "enum": [
+        "read"
+      ]
+    },
+    "organization_projects": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage organization projects and projects public preview (where available).",
+      "enum": [
+        "read",
+        "write",
+        "admin"
+      ]
+    },
+    "organization_packages": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for organization packages published to GitHub Packages.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "organization_secrets": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage organization secrets.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "organization_self_hosted_runners": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to view and manage GitHub Actions self-hosted runners available to an organization.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "organization_user_blocking": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to view and manage users blocked by the organization.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "team_discussions": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage team discussions and related comments.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "email_addresses": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage the email addresses belonging to a user.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "followers": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage the followers belonging to a user.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "git_ssh_keys": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage git SSH keys.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "gpg_keys": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to view and manage GPG keys belonging to a user.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "interaction_limits": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to view and manage interaction limits on a repository.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "profile": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to manage the profile settings belonging to a user.",
+      "enum": [
+        "write"
+      ]
+    },
+    "starring": {
+      "type": "string",
+      "description": "The level of permission to grant the access token to list and manage repositories a user is starring.",
+      "enum": [
+        "read",
+        "write"
+      ]
+    },
+    "enterprise_custom_properties_for_organizations": {
+      "type": "string",
+      "description": "The level of permission to grant the access token for organization custom properties management at the enterprise level.",
+      "enum": [
+        "read",
+        "write",
+        "admin"
+      ]
+    }
+  },
+  "example": {
+    "contents": "read",
+    "issues": "read",
+    "deployments": "write",
+    "single_file": "read"
+  }
+}

scripts/update-permission-inputs.js

@@ -0,0 +1,42 @@
+import { readFile, writeFile } from "node:fs/promises";
+
+import OctokitOpenapi from "@octokit/openapi";
+
+const appPermissionsSchema =
+  OctokitOpenapi.schemas["api.github.com"].components.schemas[
+    "app-permissions"
+  ];
+
+await writeFile(
+  `scripts/generated/app-permissions.json`,
+  JSON.stringify(appPermissionsSchema, null, 2) + "\n",
+  "utf8"
+);
+
+const permissionsInputs = Object.entries(appPermissionsSchema.properties)
+  .sort((a, b) => a[0].localeCompare(b[0]))
+  .reduce((result, [key, value]) => {
+    const formatter = new Intl.ListFormat("en", {
+      style: "long",
+      type: "disjunction",
+    });
+    const permissionAccessValues = formatter.format(
+      value.enum.map((p) => `'${p}'`)
+    );
+
+    const description = `${value.description} Can be set to ${permissionAccessValues}.`;
+    return `${result}
+  permission-${key.replace(/_/g, "-")}:
+    description: "${description}"`;
+  }, "");
+
+const actionsYamlContent = await readFile("action.yml", "utf8");
+
+// In the action.yml file, replace the content between the `<START GENERATED PERMISSIONS INPUTS>` and `<END GENERATED PERMISSIONS INPUTS>` comments with the new content
+const updatedActionsYamlContent = actionsYamlContent.replace(
+  /(?<=# <START GENERATED PERMISSIONS INPUTS>)(.|\n)*(?=# <END GENERATED PERMISSIONS INPUTS>)/,
+  permissionsInputs + "\n  "
+);
+
+await writeFile("action.yml", updatedActionsYamlContent, "utf8");
+console.log("Updated action.yml with new permissions inputs");

tests/README.md

@@ -0,0 +1,36 @@
+# Tests
+
+Add one test file per scenario. You can run them in isolation with:
+
+```
+node tests/post-token-set.test.js
+```
+
+All tests are run together in [tests/index.js](index.js), which can be executed with Node's built-in test runner
+
+```
+node --test tests/index.js
+```
+
+or with npm
+
+```
+npm test
+```
+
+## How the tests work
+
+The output from the tests is captured into a snapshot ([tests/index.js.snapshot](index.js.snapshot)). It includes all requests sent by our scripts to verify it's working correctly and to prevent regressions.
+
+To update snapshots after an intentional change:
+
+```
+node --test --test-update-snapshots tests/index.js
+```
+
+## How to add a new test
+
+We have tests both for the `main.js` and `post.js` scripts.
+
+- If you do not expect an error, take [main-token-permissions-set.test.js](main-token-permissions-set.test.js) as a starting point.
+- If your test has an expected error, take [main-missing-client-and-app-id.test.js](main-missing-client-and-app-id.test.js) as a starting point.

tests/action-deprecated-inputs.test.js

@@ -0,0 +1,16 @@
+import { readFileSync } from "node:fs";
+import * as url from "node:url";
+import YAML from "yaml";
+
+const action = YAML.parse(
+  readFileSync(
+    url.fileURLToPath(new URL("../action.yml", import.meta.url)),
+    "utf8"
+  )
+);
+
+for (const [key, value] of Object.entries(action.inputs)) {
+  if ("deprecationMessage" in value) {
+    console.log(`${key} — ${value.deprecationMessage}`);
+  }
+}

tests/index.js

@@ -0,0 +1,56 @@
+import { readdirSync } from "node:fs";
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+
+import { snapshot, test } from "node:test";
+
+const execFileAsync = promisify(execFile);
+
+// Serialize strings as-is so multiline output is human-readable in snapshots
+snapshot.setDefaultSnapshotSerializers([
+  (value) => (typeof value === "string" ? value : undefined),
+]);
+
+// Get all files in tests directory
+const files = readdirSync("tests");
+
+// Files to ignore
+const ignore = ["index.js", "index.js.snapshot", "main.js", "README.md"];
+
+const testFiles = files.filter((file) => !ignore.includes(file)).sort();
+
+// Throw an error if there is a file that does not end with test.js in the tests directory
+for (const file of testFiles) {
+  if (!file.endsWith(".test.js")) {
+    throw new Error(`File ${file} does not end with .test.js`);
+  }
+  test(file, async (t) => {
+    // Override Actions environment variables that change `core`’s behavior
+    const {
+      GITHUB_OUTPUT,
+      GITHUB_STATE,
+      HTTP_PROXY,
+      HTTPS_PROXY,
+      http_proxy,
+      https_proxy,
+      NO_PROXY,
+      no_proxy,
+      NODE_OPTIONS,
+      NODE_USE_ENV_PROXY,
+      ...env
+    } = process.env;
+    const { stderr, stdout } = await execFileAsync("node", [`tests/${file}`], {
+      env,
+    });
+    const trimmedStderr = stderr.replace(/\r?\n$/, "");
+    const trimmedStdout = stdout.replace(/\r?\n$/, "");
+    await t.test("stderr", (t) => {
+      if (trimmedStderr) t.assert.snapshot(trimmedStderr);
+      else t.assert.strictEqual(trimmedStderr, "");
+    });
+    await t.test("stdout", (t) => {
+      if (trimmedStdout) t.assert.snapshot(trimmedStdout);
+      else t.assert.strictEqual(trimmedStdout, "");
+    });
+  });
+}

tests/index.js.snapshot

@@ -0,0 +1,320 @@
+exports[`action-deprecated-inputs.test.js > stdout 1`] = `
+app-id — Use 'client-id' instead.
+`;
+
+exports[`main-app-id-fallback.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-client-id-precedence.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-custom-github-api-url.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/create-github-app-token
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /api/v3/repos/actions/create-github-app-token/installation
+POST /api/v3/app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-missing-client-and-app-id.test.js > stderr 1`] = `
+The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.
+`;
+
+exports[`main-missing-client-and-app-id.test.js > stdout 1`] = `
+::error::The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.
+`;
+
+exports[`main-missing-owner.test.js > stderr 1`] = `
+GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'
+`;
+
+exports[`main-missing-repository.test.js > stderr 1`] = `
+GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'
+`;
+
+exports[`main-private-key-with-escaped-newlines.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-proxy-requires-native-support.test.js > stderr 1`] = `
+A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.
+`;
+
+exports[`main-proxy-requires-native-support.test.js > stdout 1`] = `
+::error::A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.
+`;
+
+exports[`main-repo-skew.test.js > stderr 1`] = `
+'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued.
+[@octokit/auth-app] GitHub API time and system time are different by 30 seconds. Retrying request with the difference accounted for.
+`;
+
+exports[`main-repo-skew.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/failed-repo
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/failed-repo/installation
+GET /repos/actions/failed-repo/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["failed-repo"]}
+`;
+
+exports[`main-token-get-owner-set-fail-response.test.js > stdout 1`] = `
+Input 'repositories' is not set. Creating token for all repositories owned by smockle.
+Failed to create token for "smockle" (attempt 1): GitHub API not available
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /users/smockle/installation
+GET /users/smockle/installation
+POST /app/installations/123456/access_tokens
+null
+`;
+
+exports[`main-token-get-owner-set-repo-fail-response.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/failed-repo
+Failed to create token for "failed-repo" (attempt 1): GitHub API not available
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/failed-repo/installation
+GET /repos/actions/failed-repo/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["failed-repo"]}
+`;
+
+exports[`main-token-get-owner-set-repo-set-to-many-newline.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/create-github-app-token
+- actions/toolkit
+- actions/checkout
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token","toolkit","checkout"]}
+`;
+
+exports[`main-token-get-owner-set-repo-set-to-many.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/create-github-app-token
+- actions/toolkit
+- actions/checkout
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token","toolkit","checkout"]}
+`;
+
+exports[`main-token-get-owner-set-repo-set-to-one.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      
+- actions/create-github-app-token
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-token-get-owner-set-repo-unset.test.js > stdout 1`] = `
+Input 'repositories' is not set. Creating token for all repositories owned by actions.
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /users/actions/installation
+POST /app/installations/123456/access_tokens
+null
+`;
+
+exports[`main-token-get-owner-unset-repo-set.test.js > stdout 1`] = `
+No 'owner' input provided. Using default owner 'actions' to create token for the following repositories:
+- actions/create-github-app-token
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-token-get-owner-unset-repo-unset.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"]}
+`;
+
+exports[`main-token-permissions-set.test.js > stdout 1`] = `
+Inputs 'owner' and 'repositories' are not set. Creating token for this repository (actions/create-github-app-token).
+::add-mask::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+
+::set-output name=installation-id::123456
+
+::set-output name=app-slug::github-actions
+::save-state name=token::ghs_16C7e42F292c6912E7710c838347Ae178B4a
+::save-state name=expiresAt::2016-07-11T22:14:10Z
+--- REQUESTS ---
+GET /repos/actions/create-github-app-token/installation
+POST /app/installations/123456/access_tokens
+{"repositories":["create-github-app-token"],"permissions":{"issues":"write","pull_requests":"read"}}
+`;
+
+exports[`post-proxy-requires-native-support.test.js > stderr 1`] = `
+A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.
+`;
+
+exports[`post-proxy-requires-native-support.test.js > stdout 1`] = `
+::error::A proxy environment variable is set, but Node.js native proxy support is not enabled. Set NODE_USE_ENV_PROXY=1 for this action step.
+`;
+
+exports[`post-revoke-token-fail-response.test.js > stdout 1`] = `
+::warning::Token revocation failed: 
+`;
+
+exports[`post-token-expired.test.js > stdout 1`] = `
+Token expired, skipping token revocation
+`;
+
+exports[`post-token-set.test.js > stdout 1`] = `
+Token revoked
+`;
+
+exports[`post-token-skipped.test.js > stdout 1`] = `
+Token revocation was skipped
+`;
+
+exports[`post-token-unset.test.js > stdout 1`] = `
+Token is not set
+`;

tests/main-app-id-fallback.test.js

@@ -0,0 +1,11 @@
+import { DEFAULT_ENV, test } from "./main.js";
+
+// Verify `main` falls back to `app-id` when `client-id` is not set
+await test(
+  () => {},
+  {
+    ...DEFAULT_ENV,
+    "INPUT_CLIENT-ID": "",
+    "INPUT_APP-ID": "123456",
+  }
+);

tests/main-client-id-precedence.test.js

@@ -0,0 +1,11 @@
+import { DEFAULT_ENV, test } from "./main.js";
+
+// Verify `client-id` takes precedence when both `client-id` and `app-id` are set
+await test(
+  () => {},
+  {
+    ...DEFAULT_ENV,
+    "INPUT_CLIENT-ID": "Iv1.0123456789abcdef",
+    "INPUT_APP-ID": "123456",
+  }
+);

tests/main-custom-github-api-url.test.js

@@ -0,0 +1,14 @@
+import { DEFAULT_ENV, test } from "./main.js";
+
+// Verify that main works with a custom GitHub API URL passed as `github-api-url` input
+await test(
+  () => {
+    process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
+    const currentRepoName = process.env.GITHUB_REPOSITORY.split("/")[1];
+    process.env.INPUT_REPOSITORIES = currentRepoName;
+  },
+  {
+    ...DEFAULT_ENV,
+    "INPUT_GITHUB-API-URL": "https://github.acme-inc.com/api/v3",
+  }
+);

tests/main-missing-client-and-app-id.test.js

@@ -0,0 +1,20 @@
+import { DEFAULT_ENV } from "./main.js";
+
+for (const [key, value] of Object.entries({
+  ...DEFAULT_ENV,
+  "INPUT_CLIENT-ID": "",
+  "INPUT_APP-ID": "",
+})) {
+  process.env[key] = value;
+}
+
+// Log only the error message, not the full stack trace, because the stack
+// trace contains environment-specific paths and ANSI codes that differ
+// between local and CI environments.
+const _error = console.error;
+console.error = (err) => _error(err?.message ?? err);
+
+// Verify `main` exits with an error when neither `client-id` nor `app-id` is set.
+const { default: promise } = await import("../main.js");
+await promise;
+process.exitCode = 0;

tests/main-missing-owner.test.js

@@ -0,0 +1,9 @@
+process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+delete process.env.GITHUB_REPOSITORY_OWNER;
+
+// Verify `main` exits with an error when `GITHUB_REPOSITORY_OWNER` is missing.
+try {
+  await import("../main.js");
+} catch (error) {
+  console.error(error.message);
+}

tests/main-missing-repository.test.js

@@ -0,0 +1,8 @@
+delete process.env.GITHUB_REPOSITORY;
+
+// Verify `main` exits with an error when `GITHUB_REPOSITORY` is missing.
+try {
+  await import("../main.js");
+} catch (error) {
+  console.error(error.message);
+}

tests/main-private-key-with-escaped-newlines.test.js

@@ -0,0 +1,9 @@
+import { DEFAULT_ENV, test } from "./main.js";
+
+// Verify `main` works correctly when `private-key` input has escaped newlines
+await test(() => {
+  process.env["INPUT_PRIVATE-KEY"] = DEFAULT_ENV["INPUT_PRIVATE-KEY"].replace(
+    /\n/g,
+    "\\n"
+  );
+});

tests/main-proxy-requires-native-support.test.js

@@ -0,0 +1,14 @@
+process.env.GITHUB_REPOSITORY = "actions/create-github-app-token";
+process.env.GITHUB_REPOSITORY_OWNER = "actions";
+process.env.HTTPS_PROXY = "http://127.0.0.1:3128";
+
+const originalConsoleError = console.error;
+console.error = (...args) => {
+  originalConsoleError(
+    ...args.map((arg) => (arg instanceof Error ? arg.message : arg)),
+  );
+};
+
+await import("../main.js");
+await new Promise((resolve) => setImmediate(resolve));
+process.exitCode = 0;

tests/main-repo-skew.test.js

@@ -0,0 +1,64 @@
+import { mock } from "node:test";
+
+import { test } from "./main.js";
+
+// Verify `main` retry when the clock has drifted.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = "actions";
+  process.env.INPUT_REPOSITORIES = "failed-repo";
+  const owner = process.env.INPUT_OWNER;
+  const repo = process.env.INPUT_REPOSITORIES;
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+
+  mock.timers.enable({ apis: ["Date"], now: 0 });
+
+  mockPool
+    .intercept({
+      path: `/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(({ headers }) => {
+      const [_, jwt] = (headers.authorization || "").split(" ");
+      const payload = JSON.parse(
+        Buffer.from(jwt.split(".")[1], "base64").toString(),
+      );
+
+      if (payload.iat < 0) {
+        return {
+          statusCode: 401,
+          data: {
+            message:
+              "'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued.",
+          },
+          responseOptions: {
+            headers: {
+              "content-type": "application/json",
+              date: new Date(Date.now() + 30000).toUTCString(),
+            },
+          },
+        };
+      }
+
+      return {
+        statusCode: 200,
+        data: {
+          id: mockInstallationId,
+          app_slug: mockAppSlug,
+        },
+        responseOptions: {
+          headers: {
+            "content-type": "application/json",
+          },
+        },
+      };
+    })
+    .times(2);
+}).finally(() => {
+  mock.timers.reset();
+});

tests/main-token-get-owner-set-fail-response.test.js

@@ -0,0 +1,37 @@
+import { test } from "./main.js";
+
+// Verify retries work when getting a token for a user or organization fails on the first attempt.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = "smockle";
+  delete process.env.INPUT_REPOSITORIES;
+
+  // Mock installation ID and app slug request
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+  mockPool
+    .intercept({
+      path: `/users/smockle/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(500, "GitHub API not available");
+  mockPool
+    .intercept({
+      path: `/users/smockle/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId, app_slug: mockAppSlug },
+      { headers: { "content-type": "application/json" } },
+    );
+});

tests/main-token-get-owner-set-repo-fail-response.test.js

@@ -0,0 +1,39 @@
+import { test } from "./main.js";
+
+// Verify `main` retry when  the GitHub API returns a 500 error.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = "actions";
+  process.env.INPUT_REPOSITORIES = "failed-repo";
+  const owner = process.env.INPUT_OWNER;
+  const repo = process.env.INPUT_REPOSITORIES;
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+
+  mockPool
+    .intercept({
+      path: `/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(500, "GitHub API not available");
+
+  mockPool
+    .intercept({
+      path: `/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId, app_slug: mockAppSlug },
+      { headers: { "content-type": "application/json" } },
+    );
+});

tests/main-token-get-owner-set-repo-set-to-many-newline.test.js

@@ -0,0 +1,9 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` and `repositories` inputs are set (and the latter is a list of repos).
+await test(() => {
+  process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
+  const currentRepoName = process.env.GITHUB_REPOSITORY.split("/")[1];
+  // Intentional unnecessary whitespace to test parsing to array
+  process.env.INPUT_REPOSITORIES = `\n ${currentRepoName}\ntoolkit \n\n checkout \n`;
+});

tests/main-token-get-owner-set-repo-set-to-many.test.js

@@ -0,0 +1,9 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` and `repositories` inputs are set (and the latter is a list of repos).
+await test(() => {
+  process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
+  const currentRepoName = process.env.GITHUB_REPOSITORY.split("/")[1];
+  // Intentional unnecessary whitespace to test parsing to array
+  process.env.INPUT_REPOSITORIES = ` ${currentRepoName}, toolkit  ,checkout`;
+});

tests/main-token-get-owner-set-repo-set-to-one.test.js

@@ -0,0 +1,8 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` and `repositories` inputs are set (and the latter is a single repo).
+await test(() => {
+  process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
+  const currentRepoName = process.env.GITHUB_REPOSITORY.split("/")[1];
+  process.env.INPUT_REPOSITORIES = currentRepoName;
+});

tests/main-token-get-owner-set-repo-unset.test.js

@@ -0,0 +1,26 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` input is set, and the `repositories` input isn’t set.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = process.env.GITHUB_REPOSITORY_OWNER;
+  delete process.env.INPUT_REPOSITORIES;
+
+  // Mock installation ID and app slug request
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+  mockPool
+    .intercept({
+      path: `/users/${process.env.INPUT_OWNER}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId, app_slug: mockAppSlug },
+      { headers: { "content-type": "application/json" } },
+    );
+});

tests/main-token-get-owner-unset-repo-set.test.js

@@ -0,0 +1,8 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when the `owner` input is not set, but the `repositories` input is set.
+await test(() => {
+  delete process.env.INPUT_OWNER;
+  const currentRepoName = process.env.GITHUB_REPOSITORY.split("/")[1];
+  process.env.INPUT_REPOSITORIES = currentRepoName;
+});

tests/main-token-get-owner-unset-repo-unset.test.js

@@ -0,0 +1,26 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully obtains a token when neither the `owner` nor `repositories` input is set.
+await test((mockPool) => {
+  delete process.env.INPUT_OWNER;
+  delete process.env.INPUT_REPOSITORIES;
+
+  // Mock installation ID and app slug request
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+  mockPool
+    .intercept({
+      path: `/repos/${process.env.GITHUB_REPOSITORY}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId, app_slug: mockAppSlug },
+      { headers: { "content-type": "application/json" } },
+    );
+});

tests/main-token-permissions-set.test.js

@@ -0,0 +1,7 @@
+import { test } from "./main.js";
+
+// Verify `main` successfully sets permissions
+await test(() => {
+  process.env["INPUT_PERMISSION-ISSUES"] = `write`;
+  process.env["INPUT_PERMISSION-PULL-REQUESTS"] = `read`;
+});

tests/main.js

@@ -0,0 +1,125 @@
+// Base for all `main` tests.
+// @ts-check
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+export const DEFAULT_ENV = {
+  GITHUB_REPOSITORY_OWNER: "actions",
+  GITHUB_REPOSITORY: "actions/create-github-app-token",
+  // inputs are set as environment variables with the prefix INPUT_
+  // https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+  "INPUT_GITHUB-API-URL": "https://api.github.com",
+  "INPUT_SKIP-TOKEN-REVOKE": "false",
+  "INPUT_CLIENT-ID": "Iv1.0123456789abcdef",
+  // This key is invalidated. It’s from https://github.com/octokit/auth-app.js/issues/465#issuecomment-1564998327.
+  "INPUT_PRIVATE-KEY": `-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA280nfuUM9w00Ib9E2rvZJ6Qu3Ua3IqR34ZlK53vn/Iobn2EL
+Z9puc5Q/nFBU15NKwHyQNb+OG2hTCkjd1Xi9XPzEOH1r42YQmTGq8YCkUSkk6KZA
+5dnhLwN9pFquT9fQgrf4r1D5GJj3rqvj8JDr1sBmunArqY5u4gziSrIohcjLIZV0
+cIMz/RUIMe/EAsNeiwzEteHAtf/WpMs+OfF94SIUrDlkPr0H0H3DER8l1HZAvE0e
+eD3ZJ6njrF6UHQWDVrekSTB0clpVTTU9TMpe+gs2nnFww9G8As+WsW8xHVjVipJy
+AwqBhiR+s7wlcbh2i0NQqt8GL9/jIFTmleiwsQIDAQABAoIBAHNyP8pgl/yyzKzk
+/0871wUBMTQ7zji91dGCaFtJM0HrcDK4D/uOOPEv7nE1qDpKPLr5Me1pHUS7+NGw
+EAPtlNhgUtew2JfppdIwyi5qeOPADoi7ud6AH8xHsxg+IMwC+JuP8WhzyUHoJj9y
+PRi/pX94Mvy9qdE25HqKddjx1mLdaHhxqPkr16/em23uYZqm1lORsCPD3vTlthj7
+WiEbBSqmpYvjj8iFP4yFk2N+LvuWgSilRzq1Af3qE7PUp4xhjmcOPs78Sag1T7nl
+ww/pgqCegISABHik7j++/5T+UlI5cLsyp/XENU9zAd4kCIczwNKpun2bn+djJdft
+ravyX4ECgYEA+k2mHfi1zwKF3wT+cJbf30+uXrJczK2yZ33//4RKnhBaq7nSbQAI
+nhWz2JESBK0TEo0+L7yYYq3HnT9vcES5R1NxzruH9wXgxssSx3JUj6w1raXYPh3B
++1XpYQsa6/bo2LmBELEx47F8FQbNgD5dmTJ4jBrf6MV4rRh9h6Bs7UkCgYEA4M3K
+eAw52c2MNMIxH/LxdOQtEBq5GMu3AQC8I64DSSRrAoiypfEgyTV6S4gWJ5TKgYfD
+zclnOVJF+tITe3neO9wHoZp8iCjCnoijcT6p2cJ4IaW68LEHPOokWBk0EpLjF4p2
+7sFi9+lUpXYXfCN7aMJ77QpGzB7dNsBf0KUxMCkCgYEAjw/mjGbk82bLwUaHby6s
+0mQmk7V6WPpGZ+Sadx7TzzglutVAslA8nK5m1rdEBywtJINaMcqnhm8xEm15cj+1
+blEBUVnaQpQ3fyf+mcR9FIknPRL3X7l+b/sQowjH4GqFd6m/XR0KGMwO0a3Lsyry
+MGeqgtmxdMe5S6YdyXEmERECgYAgQsgklDSVIh9Vzux31kh6auhgoEUh3tJDbZSS
+Vj2YeIZ21aE1mTYISglj34K2aW7qSc56sMWEf18VkKJFHQccdgYOVfo7HAZZ8+fo
+r4J2gqb0xTDfq7gLMNrIXc2QQM4gKbnJp60JQM3p9NmH8huavBZGvSvNzTwXyGG3
+so0tiQKBgGQXZaxaXhYUcxYHuCkQ3V4Vsj3ezlM92xXlP32SGFm3KgFhYy9kATxw
+Cax1ytZzvlrKLQyQFVK1COs2rHt7W4cJ7op7C8zXfsigXCiejnS664oAuX8sQZID
+x3WQZRiXlWejSMUAHuMwXrhGlltF3lw83+xAjnqsVp75kGS6OH61
+-----END RSA PRIVATE KEY-----`,
+  // The Actions runner sets all inputs to empty strings if not set.
+  "INPUT_PERMISSION-ADMINISTRATION": "",
+};
+
+export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
+  for (const [key, value] of Object.entries(env)) {
+    process.env[key] = value;
+  }
+
+  // Set up mocking
+  const baseUrl = new URL(env["INPUT_GITHUB-API-URL"]);
+  const basePath = baseUrl.pathname === "/" ? "" : baseUrl.pathname;
+  const mockAgent = new MockAgent({ enableCallHistory: true });
+  mockAgent.disableNetConnect();
+  setGlobalDispatcher(mockAgent);
+  const mockPool = mockAgent.get(baseUrl.origin);
+
+  // Calling `auth({ type: "app" })` to obtain a JWT doesn’t make network requests, so no need to intercept.
+
+  // Mock installation ID and app slug request
+  const mockInstallationId = "123456";
+  const mockAppSlug = "github-actions";
+  const owner = env.INPUT_OWNER ?? env.GITHUB_REPOSITORY_OWNER;
+  const currentRepoName = env.GITHUB_REPOSITORY.split("/")[1];
+  const repo = encodeURIComponent(
+    (env.INPUT_REPOSITORIES ?? currentRepoName).split(",")[0]
+  );
+
+  mockPool
+    .intercept({
+      path: `${basePath}/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      200,
+      { id: mockInstallationId, app_slug: mockAppSlug },
+      { headers: { "content-type": "application/json" } }
+    );
+
+  // Mock installation access token request
+  const mockInstallationAccessToken =
+    "ghs_16C7e42F292c6912E7710c838347Ae178B4a"; // This token is invalidated. It’s from https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app.
+  const mockExpiresAt = "2016-07-11T22:14:10Z";
+
+  mockPool
+    .intercept({
+      path: `${basePath}/app/installations/${mockInstallationId}/access_tokens`,
+      method: "POST",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Note: Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(
+      201,
+      { token: mockInstallationAccessToken, expires_at: mockExpiresAt },
+      { headers: { "content-type": "application/json" } }
+    );
+
+  // Run the callback
+  cb(mockPool);
+
+  // Run the main script
+  const { default: promise } = await import("../main.js");
+  await promise;
+
+  console.log("--- REQUESTS ---");
+  const calls = mockAgent
+    .getCallHistory()
+    .calls()
+    .map((call) => {
+      const route = `${call.method} ${call.path}`;
+      if (call.method === "GET") return route;
+
+      return `${route}\n${call.body}`;
+    });
+
+  console.log(calls.join("\n"));
+}

tests/post-proxy-requires-native-support.test.js

@@ -0,0 +1,13 @@
+process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+process.env.HTTPS_PROXY = "http://127.0.0.1:3128";
+
+const originalConsoleError = console.error;
+console.error = (...args) => {
+  originalConsoleError(
+    ...args.map((arg) => (arg instanceof Error ? arg.message : arg)),
+  );
+};
+
+await import("../post.js");
+await new Promise((resolve) => setImmediate(resolve));
+process.exitCode = 0;

tests/post-revoke-token-fail-response.test.js

@@ -0,0 +1,35 @@
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+process.env.STATE_token = "secret123";
+
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
+
+// 1 hour in the future, not expired
+process.env.STATE_expiresAt = new Date(
+  Date.now() + 1000 * 60 * 60
+).toISOString();
+
+const mockAgent = new MockAgent();
+
+setGlobalDispatcher(mockAgent);
+
+// Provide the base url to the request
+const mockPool = mockAgent.get("https://api.github.com");
+
+// intercept the request
+mockPool
+  .intercept({
+    path: "/installation/token",
+    method: "DELETE",
+    headers: {
+      authorization: "token secret123",
+    },
+  })
+  .reply(401);
+
+await import("../post.js");

tests/post-token-expired.test.js

@@ -0,0 +1,32 @@
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+process.env.STATE_token = "secret123";
+
+// 1 hour in the past, expired
+process.env.STATE_expiresAt = new Date(Date.now() - 1000 * 60 * 60).toISOString();
+
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
+
+const mockAgent = new MockAgent();
+
+setGlobalDispatcher(mockAgent);
+
+// Provide the base url to the request
+const mockPool = mockAgent.get("https://api.github.com");
+
+// intercept the request
+mockPool
+  .intercept({
+    path: "/installation/token",
+    method: "DELETE",
+    headers: {
+      authorization: "token secret123",
+    },
+  })
+  .reply(204);
+
+await import("../post.js");

tests/post-token-set.test.js

@@ -0,0 +1,33 @@
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+process.env.STATE_token = "secret123";
+
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
+
+// 1 hour in the future, not expired
+process.env.STATE_expiresAt = new Date(Date.now() + 1000 * 60 * 60).toISOString();
+
+const mockAgent = new MockAgent();
+
+setGlobalDispatcher(mockAgent);
+
+// Provide the base url to the request
+const mockPool = mockAgent.get("https://api.github.com");
+
+// intercept the request
+mockPool
+  .intercept({
+    path: "/installation/token",
+    method: "DELETE",
+    headers: {
+      authorization: "token secret123",
+    },
+  })
+  .reply(204);
+
+await import("../post.js");

tests/post-token-skipped.test.js

@@ -0,0 +1,29 @@
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+process.env.STATE_token = "secret123";
+
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "true";
+
+const mockAgent = new MockAgent();
+
+setGlobalDispatcher(mockAgent);
+
+// Provide the base url to the request
+const mockPool = mockAgent.get("https://api.github.com");
+
+// intercept the request
+mockPool
+  .intercept({
+    path: "/installation/token",
+    method: "DELETE",
+    headers: {
+      authorization: "token secret123",
+    },
+  })
+  .reply(204);
+
+await import("../post.js");

tests/post-token-unset.test.js

@@ -0,0 +1,9 @@
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+delete process.env.STATE_token;
+
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
+
+await import("../post.js");