actions/create-github-app-token
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: actions:v3.1.0
Branches Tags
actions:main
actions:v3.1.1 actions:v3 actions:v3.1.0 actions:v3.0.0 actions:v3.0.0-beta.6 actions:v2.2.2 actions:v2 actions:v3.0.0-beta.5 actions:v3.0.0-beta.4 actions:v3.0.0-beta.3 actions:v2.2.1 actions:v2.2.0 actions:v2.1.4 actions:v2.1.3 actions:v2.1.2 actions:v3.0.0-beta.2 actions:v3.0.0-beta.1 actions:v2.1.1 actions:v2.1.0 actions:v2.0.6 actions:v2.0.5 actions:v2.0.4 actions:v2.0.3 actions:v2.0.2 actions:v2.0.1 actions:v2.0.0 actions:v1.12.0 actions:v1 actions:v1.11.7 actions:v1.11.6 actions:v1.11.5 actions:v1.11.4 actions:v1.11.3 actions:v1.11.2 actions:v1.11.1 actions:v1.11.0 actions:v1.10.4 actions:v1.10.3 actions:v1.10.2 actions:v1.10.1 actions:v1.10.0 actions:v1.9.3 actions:v1.9.2 actions:v1.9.1 actions:v1.9.0 actions:v1.8.2 actions:v1.8.1 actions:v1.8.0 actions:v1.7.0 actions:v1.6.4 actions:v1.6.3 actions:v1.6.2 actions:v1.6.1 actions:v1.6.0 actions:v1.5.1 actions:v1.5.0 actions:v1.4.0 actions:v1.3.0 actions:v1.2.2 actions:v1.2.1 actions:v1.2.0 actions:v1.1.5 actions:v1.1.4 actions:v1.1.3 actions:v1.1.2 actions:v1.1.1 actions:v1.1.0 actions:v1.0.5 actions:v1.0.4 actions:v1.0.3 actions:v1.0.2 actions:v1.0.1 actions:v1.0.0
...
compare: actions:main
Branches Tags
actions:main
actions:v3.1.1 actions:v3 actions:v3.1.0 actions:v3.0.0 actions:v3.0.0-beta.6 actions:v2.2.2 actions:v2 actions:v3.0.0-beta.5 actions:v3.0.0-beta.4 actions:v3.0.0-beta.3 actions:v2.2.1 actions:v2.2.0 actions:v2.1.4 actions:v2.1.3 actions:v2.1.2 actions:v3.0.0-beta.2 actions:v3.0.0-beta.1 actions:v2.1.1 actions:v2.1.0 actions:v2.0.6 actions:v2.0.5 actions:v2.0.4 actions:v2.0.3 actions:v2.0.2 actions:v2.0.1 actions:v2.0.0 actions:v1.12.0 actions:v1 actions:v1.11.7 actions:v1.11.6 actions:v1.11.5 actions:v1.11.4 actions:v1.11.3 actions:v1.11.2 actions:v1.11.1 actions:v1.11.0 actions:v1.10.4 actions:v1.10.3 actions:v1.10.2 actions:v1.10.1 actions:v1.10.0 actions:v1.9.3 actions:v1.9.2 actions:v1.9.1 actions:v1.9.0 actions:v1.8.2 actions:v1.8.1 actions:v1.8.0 actions:v1.7.0 actions:v1.6.4 actions:v1.6.3 actions:v1.6.2 actions:v1.6.1 actions:v1.6.0 actions:v1.5.1 actions:v1.5.0 actions:v1.4.0 actions:v1.3.0 actions:v1.2.2 actions:v1.2.1 actions:v1.2.0 actions:v1.1.5 actions:v1.1.4 actions:v1.1.3 actions:v1.1.2 actions:v1.1.1 actions:v1.1.0 actions:v1.0.5 actions:v1.0.4 actions:v1.0.3 actions:v1.0.2 actions:v1.0.1 actions:v1.0.0

4 Commits
v3.1.0 ... main

Author SHA1 Message Date
Josh Johanning
7989d206df docs: use APP_ prefix instead of reserved GITHUB_ prefix (#363)
Some checks failed
release / release (push) Has been cancelled
Details
test / integration (push) Has been cancelled
Details
test / end-to-end (push) Has been cancelled
Details
test / end-to-end with unreachable proxy (push) Has been cancelled
Details 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
 2026-04-21 09:56:11 -07:00
semantic-release-bot
1b10c78c78 build(release): 3.1.1 [skip ci] 
## [3.1.1](https://github.com/actions/create-github-app-token/compare/v3.1.0...v3.1.1) (2026-04-11)

### Bug Fixes

* improve error message when app identifier is empty ([#362](https://github.com/actions/create-github-app-token/issues/362)) ([07e2b76](07e2b76066)), closes [#249](https://github.com/actions/create-github-app-token/issues/249)
 2026-04-11 06:43:26 +00:00
Parker Brown
07e2b76066 fix: improve error message when app identifier is empty (#362) 
When `client-id` (or the deprecated `app-id`) resolves to an empty
string, for example because a secret or variable is not available in the
workflow context, the error message from `@octokit/auth-app` is not very
helpful:

```
[@octokit/auth-app] appId option is required
```

A validation check was added recently to catch this earlier, but its
message could be more informative:

```
Either 'client-id' or 'app-id' input must be set
```

This updates the message to clarify that the value resolved to empty and
nudges users toward checking their secret or variable availability:

```
The 'client-id' input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.
```

Closes #249

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-04-10 23:42:53 -07:00
Parker Brown
ea0121618b ci: remove publish-immutable-action workflow (#361) 
The `publish-immutable-action` workflow uses `actions/publish-immutable-action@v0.0.4`. The Immutable Actions Publishing feature (OCI-based) has been paused with no GA timeline. This removes the workflow; it can be re-added when the feature becomes generally available.

To fully address #352, the repository-level **immutable releases** setting has also be enabled. This [feature](https://github.blog/changelog/2025-10-28-immutable-releases-are-now-generally-available/) locks release tags and assets after publication, directly preventing the class of attack described in [GHSA-mrrh-fwg8-r2c3](https://github.com/advisories/GHSA-mrrh-fwg8-r2c3).

The existing release workflow is compatible with immutable releases. Build artifacts are committed via `@semantic-release/git` before the tag is created, and major version tags (`v3`, etc.) are plain git tags (not releases) so they remain updatable.
 2026-04-10 23:01:59 -07:00
7 changed files with 32 additions and 49 deletions
Expand all files Collapse all files

17
.github/workflows/publish-immutable-action.yml vendored
View File

@@ -1,17 +0,0 @@
name: 'Publish Immutable Action'
on:
release:
types: [published]
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
packages: write
steps:
- uses: actions/checkout@v6
- name: Publish Immutable Action
uses: actions/publish-immutable-action@v0.0.4

48
README.md
View File

@@ -9,8 +9,8 @@ GitHub Action for creating a GitHub App installation access token.
In order to use this action, you need to: In order to use this action, you need to:
1. [Register new GitHub App](https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app). 1. [Register new GitHub App](https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app).
2. [Store the App's Client ID in your repository environment variables](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables#defining-configuration-variables-for-multiple-workflows) (example: `GITHUB_APP_CLIENT_ID`). 2. [Store the App's Client ID in your repository variables](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_CLIENT_ID`).
3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets?tool=webui#creating-secrets-for-a-repository) (example: `GITHUB_APP_PRIVATE_KEY`). 3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets?tool=webui#creating-secrets-for-a-repository) (example: `APP_PRIVATE_KEY`).
> [!IMPORTANT] > [!IMPORTANT]
> An installation access token expires after 1 hour. Please [see this comment](https://github.com/actions/create-github-app-token/issues/121#issuecomment-2043214796) for alternative approaches if you have long-running processes. > An installation access token expires after 1 hour. Please [see this comment](https://github.com/actions/create-github-app-token/issues/121#issuecomment-2043214796) for alternative approaches if you have long-running processes.
@@ -31,8 +31,8 @@ jobs:
- uses: actions/create-github-app-token@v3 - uses: actions/create-github-app-token@v3
id: app-token id: app-token
with: with:
client-id: ${{ vars.GITHUB_APP_CLIENT_ID }} client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }} private-key: ${{ secrets.APP_PRIVATE_KEY }}
- uses: ./actions/staging-tests - uses: ./actions/staging-tests
with: with:
token: ${{ steps.app-token.outputs.token }} token: ${{ steps.app-token.outputs.token }}
@@ -51,8 +51,8 @@ jobs:
id: app-token id: app-token
with: with:
# required # required
client-id: ${{ vars.GITHUB_APP_CLIENT_ID }} client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }} private-key: ${{ secrets.APP_PRIVATE_KEY }}
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with: with:
token: ${{ steps.app-token.outputs.token }} token: ${{ steps.app-token.outputs.token }}
@@ -77,8 +77,8 @@ jobs:
id: app-token id: app-token
with: with:
# required # required
client-id: ${{ vars.GITHUB_APP_CLIENT_ID }} client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }} private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Get GitHub App User ID - name: Get GitHub App User ID
id: get-user-id id: get-user-id
run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
@@ -102,8 +102,8 @@ jobs:
id: app-token id: app-token
with: with:
# required # required
client-id: ${{ vars.GITHUB_APP_CLIENT_ID }} client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }} private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Get GitHub App User ID - name: Get GitHub App User ID
id: get-user-id id: get-user-id
run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
@@ -138,8 +138,8 @@ jobs:
- uses: actions/create-github-app-token@v3 - uses: actions/create-github-app-token@v3
id: app-token id: app-token
with: with:
client-id: ${{ vars.GITHUB_APP_CLIENT_ID }} client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }} private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }} owner: ${{ github.repository_owner }}
- uses: peter-evans/create-or-update-comment@v4 - uses: peter-evans/create-or-update-comment@v4
with: with:
@@ -160,8 +160,8 @@ jobs:
- uses: actions/create-github-app-token@v3 - uses: actions/create-github-app-token@v3
id: app-token id: app-token
with: with:
client-id: ${{ vars.GITHUB_APP_CLIENT_ID }} client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }} private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }} owner: ${{ github.repository_owner }}
repositories: | repositories: |
repo1 repo1
@@ -185,8 +185,8 @@ jobs:
- uses: actions/create-github-app-token@v3 - uses: actions/create-github-app-token@v3
id: app-token id: app-token
with: with:
client-id: ${{ vars.GITHUB_APP_CLIENT_ID }} client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }} private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: another-owner owner: another-owner
- uses: peter-evans/create-or-update-comment@v4 - uses: peter-evans/create-or-update-comment@v4
with: with:
@@ -210,8 +210,8 @@ jobs:
- uses: actions/create-github-app-token@v3 - uses: actions/create-github-app-token@v3
id: app-token id: app-token
with: with:
client-id: ${{ vars.GITHUB_APP_CLIENT_ID }} client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }} private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }} owner: ${{ github.repository_owner }}
permission-issues: write permission-issues: write
- uses: peter-evans/create-or-update-comment@v4 - uses: peter-evans/create-or-update-comment@v4
@@ -252,8 +252,8 @@ jobs:
- uses: actions/create-github-app-token@v3 - uses: actions/create-github-app-token@v3
id: app-token id: app-token
with: with:
client-id: ${{ vars.GITHUB_APP_CLIENT_ID }} client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }} private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: ${{ matrix.owners-and-repos.owner }} owner: ${{ matrix.owners-and-repos.owner }}
repositories: ${{ join(matrix.owners-and-repos.repos) }} repositories: ${{ join(matrix.owners-and-repos.repos) }}
- uses: octokit/request-action@v2.x - uses: octokit/request-action@v2.x
@@ -310,8 +310,8 @@ If you set `HTTP_PROXY` or `HTTPS_PROXY`, also set `NODE_USE_ENV_PROXY: "1"` on
NO_PROXY: github.example.com NO_PROXY: github.example.com
NODE_USE_ENV_PROXY: "1" NODE_USE_ENV_PROXY: "1"
with: with:
client-id: ${{ vars.GITHUB_APP_CLIENT_ID }} client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }} private-key: ${{ secrets.APP_PRIVATE_KEY }}
``` ```
## Inputs ## Inputs
@@ -334,14 +334,14 @@ steps:
- name: Decode the GitHub App Private Key - name: Decode the GitHub App Private Key
id: decode id: decode
run: | run: |
private_key=$(echo "${{ secrets.GITHUB_APP_PRIVATE_KEY }}" | base64 -d | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2) &> /dev/null private_key=$(echo "${{ secrets.APP_PRIVATE_KEY }}" | base64 -d | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2) &> /dev/null
echo "::add-mask::$private_key" echo "::add-mask::$private_key"
echo "private-key=$private_key" >> "$GITHUB_OUTPUT" echo "private-key=$private_key" >> "$GITHUB_OUTPUT"
- name: Generate GitHub App Token - name: Generate GitHub App Token
id: app-token id: app-token
uses: actions/create-github-app-token@v3 uses: actions/create-github-app-token@v3
with: with:
client-id: ${{ vars.GITHUB_APP_CLIENT_ID }} client-id: ${{ vars.APP_CLIENT_ID }}
private-key: ${{ steps.decode.outputs.private-key }} private-key: ${{ steps.decode.outputs.private-key }}
``` ```

2
dist/main.cjs vendored
View File

@@ -23352,7 +23352,7 @@ async function run() {
ensureNativeProxySupport(); ensureNativeProxySupport();
const clientId = getInput("client-id") || getInput("app-id"); const clientId = getInput("client-id") || getInput("app-id");
if (!clientId) { if (!clientId) {
throw new Error("Either 'client-id' or 'app-id' input must be set"); throw new Error("The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.");
} }
const privateKey = getInput("private-key"); const privateKey = getInput("private-key");
const owner = getInput("owner"); const owner = getInput("owner");

2
main.js
View File

@@ -20,7 +20,7 @@ async function run() {
const clientId = core.getInput("client-id") || core.getInput("app-id"); const clientId = core.getInput("client-id") || core.getInput("app-id");
if (!clientId) { if (!clientId) {
throw new Error("Either 'client-id' or 'app-id' input must be set"); throw new Error("The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.");
} }
const privateKey = core.getInput("private-key"); const privateKey = core.getInput("private-key");
const owner = core.getInput("owner"); const owner = core.getInput("owner");

4
package-lock.json generated
View File

@@ -1,12 +1,12 @@
{ {
"name": "create-github-app-token", "name": "create-github-app-token",
"version": "3.1.0", "version": "3.1.1",
"lockfileVersion": 3, "lockfileVersion": 3,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "create-github-app-token", "name": "create-github-app-token",
"version": "3.1.0", "version": "3.1.1",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/core": "^3.0.0", "@actions/core": "^3.0.0",

2
package.json
View File

@@ -2,7 +2,7 @@
"name": "create-github-app-token", "name": "create-github-app-token",
"private": true, "private": true,
"type": "module", "type": "module",
"version": "3.1.0", "version": "3.1.1",
"description": "GitHub Action for creating a GitHub App Installation Access Token", "description": "GitHub Action for creating a GitHub App Installation Access Token",
"engines": { "engines": {
"node": ">=24.4.0" "node": ">=24.4.0"

4
tests/index.js.snapshot
View File

@@ -56,11 +56,11 @@ POST /api/v3/app/installations/123456/access_tokens
`; `;
exports[`main-missing-client-and-app-id.test.js > stderr 1`] = ` exports[`main-missing-client-and-app-id.test.js > stderr 1`] = `
Either 'client-id' or 'app-id' input must be set The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.
`; `;
exports[`main-missing-client-and-app-id.test.js > stdout 1`] = ` exports[`main-missing-client-and-app-id.test.js > stdout 1`] = `
::error::Either 'client-id' or 'app-id' input must be set ::error::The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.
`; `;
exports[`main-missing-owner.test.js > stderr 1`] = ` exports[`main-missing-owner.test.js > stderr 1`] = `