docs: use APP_ prefix instead of reserved GITHUB_ prefix (#363 )

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
build(release): 3.1.1 [skip ci]
2026-04-21 09:56:11 -07:00 · 2026-04-11 06:43:26 +00:00 · 2026-04-10 23:42:53 -07:00 · 2026-04-10 23:01:59 -07:00
7 changed files with 32 additions and 49 deletions
--- a/.github/workflows/publish-immutable-action.yml
+++ b/.github/workflows/publish-immutable-action.yml
@@ -1,17 +0,0 @@
-name: 'Publish Immutable Action'
-
-on:
-  release:
-    types: [published]
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-    steps:
-      - uses: actions/checkout@v6
-      - name: Publish Immutable Action
-        uses: actions/publish-immutable-action@v0.0.4
--- a/README.md
+++ b/README.md
@@ -9,10 +9,10 @@ GitHub Action for creating a GitHub App installation access token.
 In order to use this action, you need to:

 1. [Register new GitHub App](https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app).
-2. [Store the App's Client ID in your repository environment variables](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables#defining-configuration-variables-for-multiple-workflows) (example: `GITHUB_APP_CLIENT_ID`).
-3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets?tool=webui#creating-secrets-for-a-repository) (example: `GITHUB_APP_PRIVATE_KEY`).
+2. [Store the App's Client ID in your repository variables](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_CLIENT_ID`).
+3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets?tool=webui#creating-secrets-for-a-repository) (example: `APP_PRIVATE_KEY`).

-> [!IMPORTANT]  
+> [!IMPORTANT]
 > An installation access token expires after 1 hour. Please [see this comment](https://github.com/actions/create-github-app-token/issues/121#issuecomment-2043214796) for alternative approaches if you have long-running processes.

 ### Create a token for the current repository
@@ -31,8 +31,8 @@ jobs:
      - uses: actions/create-github-app-token@v3
        id: app-token
        with:
-          client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
-          private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
      - uses: ./actions/staging-tests
        with:
          token: ${{ steps.app-token.outputs.token }}
@@ -51,8 +51,8 @@ jobs:
        id: app-token
        with:
          # required
-          client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
-          private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
      - uses: actions/checkout@v6
        with:
          token: ${{ steps.app-token.outputs.token }}
@@ -77,8 +77,8 @@ jobs:
        id: app-token
        with:
          # required
-          client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
-          private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
      - name: Get GitHub App User ID
        id: get-user-id
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
@@ -102,8 +102,8 @@ jobs:
        id: app-token
        with:
          # required
-          client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
-          private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
      - name: Get GitHub App User ID
        id: get-user-id
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
@@ -138,8 +138,8 @@ jobs:
      - uses: actions/create-github-app-token@v3
        id: app-token
        with:
-          client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
-          private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
      - uses: peter-evans/create-or-update-comment@v4
        with:
@@ -160,8 +160,8 @@ jobs:
      - uses: actions/create-github-app-token@v3
        id: app-token
        with:
-          client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
-          private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
          repositories: |
            repo1
@@ -185,8 +185,8 @@ jobs:
      - uses: actions/create-github-app-token@v3
        id: app-token
        with:
-          client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
-          private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
          owner: another-owner
      - uses: peter-evans/create-or-update-comment@v4
        with:
@@ -210,8 +210,8 @@ jobs:
      - uses: actions/create-github-app-token@v3
        id: app-token
        with:
-          client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
-          private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
          permission-issues: write
      - uses: peter-evans/create-or-update-comment@v4
@@ -252,8 +252,8 @@ jobs:
      - uses: actions/create-github-app-token@v3
        id: app-token
        with:
-          client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
-          private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}
+          client-id: ${{ vars.APP_CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
          owner: ${{ matrix.owners-and-repos.owner }}
          repositories: ${{ join(matrix.owners-and-repos.repos) }}
      - uses: octokit/request-action@v2.x
@@ -310,8 +310,8 @@ If you set `HTTP_PROXY` or `HTTPS_PROXY`, also set `NODE_USE_ENV_PROXY: "1"` on
    NO_PROXY: github.example.com
    NODE_USE_ENV_PROXY: "1"
  with:
-    client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
-    private-key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}
+    client-id: ${{ vars.APP_CLIENT_ID }}
+    private-key: ${{ secrets.APP_PRIVATE_KEY }}
 ```

 ## Inputs
@@ -334,14 +334,14 @@ steps:
  - name: Decode the GitHub App Private Key
    id: decode
    run: |
-      private_key=$(echo "${{ secrets.GITHUB_APP_PRIVATE_KEY }}" | base64 -d | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2) &> /dev/null
+      private_key=$(echo "${{ secrets.APP_PRIVATE_KEY }}" | base64 -d | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2) &> /dev/null
      echo "::add-mask::$private_key"
      echo "private-key=$private_key" >> "$GITHUB_OUTPUT"
  - name: Generate GitHub App Token
    id: app-token
    uses: actions/create-github-app-token@v3
    with:
-      client-id: ${{ vars.GITHUB_APP_CLIENT_ID }}
+      client-id: ${{ vars.APP_CLIENT_ID }}
      private-key: ${{ steps.decode.outputs.private-key }}
 ```

--- a/dist/main.cjs
+++ b/dist/main.cjs
@@ -23352,7 +23352,7 @@ async function run() {
  ensureNativeProxySupport();
  const clientId = getInput("client-id") || getInput("app-id");
  if (!clientId) {
-    throw new Error("Either 'client-id' or 'app-id' input must be set");
+    throw new Error("The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.");
  }
  const privateKey = getInput("private-key");
  const owner = getInput("owner");
--- a/main.js
+++ b/main.js
@@ -20,7 +20,7 @@ async function run() {

  const clientId = core.getInput("client-id") || core.getInput("app-id");
  if (!clientId) {
-    throw new Error("Either 'client-id' or 'app-id' input must be set");
+    throw new Error("The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.");
  }
  const privateKey = core.getInput("private-key");
  const owner = core.getInput("owner");
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "create-github-app-token",
-  "version": "3.1.0",
+  "version": "3.1.1",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "create-github-app-token",
-      "version": "3.1.0",
+      "version": "3.1.1",
      "license": "MIT",
      "dependencies": {
        "@actions/core": "^3.0.0",
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
  "name": "create-github-app-token",
  "private": true,
  "type": "module",
-  "version": "3.1.0",
+  "version": "3.1.1",
  "description": "GitHub Action for creating a GitHub App Installation Access Token",
  "engines": {
    "node": ">=24.4.0"
--- a/tests/index.js.snapshot
+++ b/tests/index.js.snapshot
@@ -56,11 +56,11 @@ POST /api/v3/app/installations/123456/access_tokens
 `;

 exports[`main-missing-client-and-app-id.test.js > stderr 1`] = `
-Either 'client-id' or 'app-id' input must be set
+The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.
 `;

 exports[`main-missing-client-and-app-id.test.js > stdout 1`] = `
-::error::Either 'client-id' or 'app-id' input must be set
+::error::The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.
 `;

 exports[`main-missing-owner.test.js > stderr 1`] = `
Author	SHA1	Message	Date
Josh Johanning	7989d206df	docs: use `APP_` prefix instead of reserved `GITHUB_` prefix (#363 ) Some checks failed release / release (push) Has been cancelled Details test / integration (push) Has been cancelled Details test / end-to-end (push) Has been cancelled Details test / end-to-end with unreachable proxy (push) Has been cancelled Details Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-04-21 09:56:11 -07:00
semantic-release-bot	1b10c78c78	build(release): 3.1.1 [skip ci] ## [3.1.1](https://github.com/actions/create-github-app-token/compare/v3.1.0...v3.1.1) (2026-04-11) ### Bug Fixes * improve error message when app identifier is empty ([#362](https://github.com/actions/create-github-app-token/issues/362)) ([`07e2b76`](`07e2b76066`)), closes [#249](https://github.com/actions/create-github-app-token/issues/249)	2026-04-11 06:43:26 +00:00
Parker Brown	07e2b76066	fix: improve error message when app identifier is empty (#362 ) When `client-id` (or the deprecated `app-id`) resolves to an empty string, for example because a secret or variable is not available in the workflow context, the error message from `@octokit/auth-app` is not very helpful: ``` [@octokit/auth-app] appId option is required ``` A validation check was added recently to catch this earlier, but its message could be more informative: ``` Either 'client-id' or 'app-id' input must be set ``` This updates the message to clarify that the value resolved to empty and nudges users toward checking their secret or variable availability: ``` The 'client-id' input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context. ``` Closes #249 --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-04-10 23:42:53 -07:00
Parker Brown	ea0121618b	ci: remove publish-immutable-action workflow (#361 ) The `publish-immutable-action` workflow uses `actions/publish-immutable-action@v0.0.4`. The Immutable Actions Publishing feature (OCI-based) has been paused with no GA timeline. This removes the workflow; it can be re-added when the feature becomes generally available. To fully address #352, the repository-level immutable releases setting has also be enabled. This [feature](https://github.blog/changelog/2025-10-28-immutable-releases-are-now-generally-available/) locks release tags and assets after publication, directly preventing the class of attack described in [GHSA-mrrh-fwg8-r2c3](https://github.com/advisories/GHSA-mrrh-fwg8-r2c3). The existing release workflow is compatible with immutable releases. Build artifacts are committed via `@semantic-release/git` before the tag is created, and major version tags (`v3`, etc.) are plain git tags (not releases) so they remain updatable.	2026-04-10 23:01:59 -07:00