fix: mask the installation token in logs (#28)

The runner will automatically mask GitHub token formats it recognizes,
but sometimes a new pattern rolls out before the runner is updated to
recognize it.

.github/dependabot.yml

@@ -4,6 +4,15 @@ updates:
     directory: "/"
     schedule:
       interval: "monthly"
+    groups:
+      production-dependencies:
+        dependency-type: "production"
+      development-dependencies:
+        dependency-type: "development"
+    commit-message:
+      prefix: "fix"
+      prefix-development: "build"
+      include: "scope"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:

.github/workflows/test.yml

@@ -1,5 +1,10 @@
 name: test
-on: [push]
+on:
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   test:
@@ -13,14 +18,14 @@ jobs:
       - run: npm ci
       - run: npm run build
       - uses: ./ # Uses the action in the root directory
-        id: demo
+        id: test
         with:
           app_id: ${{ vars.TEST_APP_ID }}
           private_key: ${{ secrets.TEST_APP_PRIVATE_KEY }}
       - uses: octokit/request-action@v2.x
         id: get-repository
         env:
-          GITHUB_TOKEN: ${{ steps.demo.outputs.token }}
+          GITHUB_TOKEN: ${{ steps.test.outputs.token }}
         with:
           route: GET /installation/repositories
       - run: echo '${{ steps.get-repository.outputs.data }}'

lib/main.js

@@ -52,6 +52,9 @@ export async function main(
     repositoryNames: [repo],
   });
 
+  // Register the token with the runner as a secret to ensure it is masked in logs
+  core.setSecret(authentication.token);
+
   core.setOutput("token", authentication.token);
 
   // Make token accessible to post function (so we can invalidate it)