From a3c826a2042b1cef171cbabedfd93c93623f4061 Mon Sep 17 00:00:00 2001 From: nakatani-yo <32811020+nakatani-yo@users.noreply.github.com> Date: Fri, 11 Apr 2025 03:39:20 +0900 Subject: [PATCH 1/4] docs: fix typo in CONTRIBUTING.md (#233) --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 566a8fe..8bcfa29 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -12,4 +12,4 @@ Run tests locally npm test ``` -Learn more about how the tests work in [test/README.md](test/README.md). +Learn more about how the tests work in [tests/README.md](tests/README.md). From 9ba274d954c9af64fbf4cec63082d0e3f57e9b5f Mon Sep 17 00:00:00 2001 From: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com> Date: Fri, 25 Apr 2025 19:32:06 +0100 Subject: [PATCH 2/4] fix(README): use `v2` in examples (#234) Fixes #232 --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 91efed1..4a73bc3 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: app-id: ${{ vars.APP_ID }} @@ -47,7 +47,7 @@ jobs: auto-format: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: # required @@ -73,7 +73,7 @@ jobs: auto-format: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: # required @@ -98,7 +98,7 @@ jobs: auto-format: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: # required @@ -135,7 +135,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: app-id: ${{ vars.APP_ID }} @@ -157,7 +157,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: app-id: ${{ vars.APP_ID }} @@ -182,7 +182,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: app-id: ${{ vars.APP_ID }} @@ -207,7 +207,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: app-id: ${{ vars.APP_ID }} @@ -249,7 +249,7 @@ jobs: owners-and-repos: ${{ fromJson(needs.set-matrix.outputs.matrix) }} steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: app-id: ${{ vars.APP_ID }} @@ -279,7 +279,7 @@ jobs: steps: - name: Create GitHub App token id: create_token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@v2 with: app-id: ${{ vars.GHES_APP_ID }} private-key: ${{ secrets.GHES_APP_PRIVATE_KEY }} @@ -318,7 +318,7 @@ steps: echo "private-key=$private_key" >> "$GITHUB_OUTPUT" - name: Generate GitHub App Token id: app-token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@v2 with: app-id: ${{ vars.APP_ID }} private-key: ${{ steps.decode.outputs.private-key }} From c3c17c79ccedec31f588e88d6ad5ff9036afe580 Mon Sep 17 00:00:00 2001 From: Yuta Kasai Date: Sat, 26 Apr 2025 03:59:34 +0900 Subject: [PATCH 3/4] fix: use `core.getBooleanInput()` to retrieve boolean input values (#223) This PR switches from evaluating values passed to `skip-token-revoke` as true if they are truthy in JavaScript, to using `getBooleanInput`. This change ensures that only proper YAML boolean values are recognized, preventing unintended evaluations to true. - The definition of `getBooleanInput` is here: definition of `core#getBooealnInput` is here: https://github.com/actions/toolkit/blob/930c89072712a3aac52d74b23338f00bb0cfcb24/packages/core/src/core.ts#L188-L208 The documentation states, `"If truthy, the token will not be revoked when the current job is complete"`, so this change could be considered a breaking change. This means that if there are users who rely on `truthy` and expect values like whitespace or `"false"` to be evaluated as true (though this is likely rare), it would be a breaking change. - `Boolean(" ")` and `Boolean("false")` are both evaluated as true. Alternatively, it can simply be considered a fix. How to handle this is up to the maintainer. Resolves https://github.com/actions/create-github-app-token/issues/216 --- README.md | 4 ++-- action.yml | 3 ++- lib/post.js | 2 +- main.js | 2 +- tests/main.js | 1 + tests/post-revoke-token-fail-response.test.js | 1 + tests/post-token-expired.test.js | 4 ++++ tests/post-token-set.test.js | 1 + tests/post-token-unset.test.js | 4 ++++ 9 files changed, 17 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 4a73bc3..f72b653 100644 --- a/README.md +++ b/README.md @@ -343,7 +343,7 @@ The reason we define one `permision-` input per permission is t ### `skip-token-revoke` -**Optional:** If truthy, the token will not be revoked when the current job is complete. +**Optional:** If true, the token will not be revoked when the current job is complete. ### `github-api-url` @@ -370,7 +370,7 @@ The action creates an installation access token using [the `POST /app/installati 1. The token is scoped to the current repository or `repositories` if set. 2. The token inherits all the installation's permissions. 3. The token is set as output `token` which can be used in subsequent steps. -4. Unless the `skip-token-revoke` input is set to a truthy value, the token is revoked in the `post` step of the action, which means it cannot be passed to another job. +4. Unless the `skip-token-revoke` input is set to true, the token is revoked in the `post` step of the action, which means it cannot be passed to another job. 5. The token is masked, it cannot be logged accidentally. > [!NOTE] diff --git a/action.yml b/action.yml index 33b9fb1..ab7d7f3 100644 --- a/action.yml +++ b/action.yml @@ -18,8 +18,9 @@ inputs: description: "Comma or newline-separated list of repositories to install the GitHub App on (defaults to current repository if owner is unset)" required: false skip-token-revoke: - description: "If truthy, the token will not be revoked when the current job is complete" + description: "If true, the token will not be revoked when the current job is complete" required: false + default: "false" # Make GitHub API configurable to support non-GitHub Cloud use cases # see https://github.com/actions/create-github-app-token/issues/77 github-api-url: diff --git a/lib/post.js b/lib/post.js index f21174d..4719964 100644 --- a/lib/post.js +++ b/lib/post.js @@ -5,7 +5,7 @@ * @param {import("@octokit/request").request} request */ export async function post(core, request) { - const skipTokenRevoke = Boolean(core.getInput("skip-token-revoke")); + const skipTokenRevoke = core.getBooleanInput("skip-token-revoke"); if (skipTokenRevoke) { core.info("Token revocation was skipped"); diff --git a/main.js b/main.js index ac3a7c5..7670378 100644 --- a/main.js +++ b/main.js @@ -24,7 +24,7 @@ const repositories = core .map((s) => s.trim()) .filter((x) => x !== ""); -const skipTokenRevoke = Boolean(core.getInput("skip-token-revoke")); +const skipTokenRevoke = core.getBooleanInput("skip-token-revoke"); const permissions = getPermissionsFromInputs(process.env); diff --git a/tests/main.js b/tests/main.js index 2172752..792da70 100644 --- a/tests/main.js +++ b/tests/main.js @@ -8,6 +8,7 @@ export const DEFAULT_ENV = { // inputs are set as environment variables with the prefix INPUT_ // https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs "INPUT_GITHUB-API-URL": "https://api.github.com", + "INPUT_SKIP-TOKEN-REVOKE": "false", "INPUT_APP-ID": "123456", // This key is invalidated. It’s from https://github.com/octokit/auth-app.js/issues/465#issuecomment-1564998327. "INPUT_PRIVATE-KEY": `-----BEGIN RSA PRIVATE KEY----- diff --git a/tests/post-revoke-token-fail-response.test.js b/tests/post-revoke-token-fail-response.test.js index 6962ca3..b729b55 100644 --- a/tests/post-revoke-token-fail-response.test.js +++ b/tests/post-revoke-token-fail-response.test.js @@ -7,6 +7,7 @@ process.env.STATE_token = "secret123"; // inputs are set as environment variables with the prefix INPUT_ // https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com"; +process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false"; // 1 hour in the future, not expired process.env.STATE_expiresAt = new Date( diff --git a/tests/post-token-expired.test.js b/tests/post-token-expired.test.js index 6479845..62caa6d 100644 --- a/tests/post-token-expired.test.js +++ b/tests/post-token-expired.test.js @@ -7,6 +7,10 @@ process.env.STATE_token = "secret123"; // 1 hour in the past, expired process.env.STATE_expiresAt = new Date(Date.now() - 1000 * 60 * 60).toISOString(); +// inputs are set as environment variables with the prefix INPUT_ +// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs +process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false"; + const mockAgent = new MockAgent(); setGlobalDispatcher(mockAgent); diff --git a/tests/post-token-set.test.js b/tests/post-token-set.test.js index 33697d0..8ae8c36 100644 --- a/tests/post-token-set.test.js +++ b/tests/post-token-set.test.js @@ -7,6 +7,7 @@ process.env.STATE_token = "secret123"; // inputs are set as environment variables with the prefix INPUT_ // https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com"; +process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false"; // 1 hour in the future, not expired process.env.STATE_expiresAt = new Date(Date.now() + 1000 * 60 * 60).toISOString(); diff --git a/tests/post-token-unset.test.js b/tests/post-token-unset.test.js index 7b1922a..32228ef 100644 --- a/tests/post-token-unset.test.js +++ b/tests/post-token-unset.test.js @@ -2,4 +2,8 @@ // https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions delete process.env.STATE_token; +// inputs are set as environment variables with the prefix INPUT_ +// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs +process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false"; + await import("../post.js"); From 30bf6253fa41bdc8d1501d202ad15287582246b4 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Thu, 1 May 2025 15:34:52 +0000 Subject: [PATCH 4/4] build(release): 2.0.3 [skip ci] ## [2.0.3](https://github.com/actions/create-github-app-token/compare/v2.0.2...v2.0.3) (2025-05-01) ### Bug Fixes * **README:** use `v2` in examples ([#234](https://github.com/actions/create-github-app-token/issues/234)) ([9ba274d](https://github.com/actions/create-github-app-token/commit/9ba274d954c9af64fbf4cec63082d0e3f57e9b5f)), closes [#232](https://github.com/actions/create-github-app-token/issues/232) * use `core.getBooleanInput()` to retrieve boolean input values ([#223](https://github.com/actions/create-github-app-token/issues/223)) ([c3c17c7](https://github.com/actions/create-github-app-token/commit/c3c17c79ccedec31f588e88d6ad5ff9036afe580)) --- dist/main.cjs | 2 +- dist/post.cjs | 2 +- package-lock.json | 4 ++-- package.json | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/dist/main.cjs b/dist/main.cjs index 2ad1836..a977f68 100644 --- a/dist/main.cjs +++ b/dist/main.cjs @@ -42673,7 +42673,7 @@ var appId = import_core2.default.getInput("app-id"); var privateKey = import_core2.default.getInput("private-key"); var owner = import_core2.default.getInput("owner"); var repositories = import_core2.default.getInput("repositories").split(/[\n,]+/).map((s) => s.trim()).filter((x) => x !== ""); -var skipTokenRevoke = Boolean(import_core2.default.getInput("skip-token-revoke")); +var skipTokenRevoke = import_core2.default.getBooleanInput("skip-token-revoke"); var permissions = getPermissionsFromInputs(process.env); var main_default = main( appId, diff --git a/dist/post.cjs b/dist/post.cjs index ab17975..40fbec6 100644 --- a/dist/post.cjs +++ b/dist/post.cjs @@ -40308,7 +40308,7 @@ var import_core2 = __toESM(require_core(), 1); // lib/post.js async function post(core3, request2) { - const skipTokenRevoke = Boolean(core3.getInput("skip-token-revoke")); + const skipTokenRevoke = core3.getBooleanInput("skip-token-revoke"); if (skipTokenRevoke) { core3.info("Token revocation was skipped"); return; diff --git a/package-lock.json b/package-lock.json index 4e9016c..13776a1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "create-github-app-token", - "version": "2.0.2", + "version": "2.0.3", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "create-github-app-token", - "version": "2.0.2", + "version": "2.0.3", "license": "MIT", "dependencies": { "@actions/core": "^1.11.1", diff --git a/package.json b/package.json index 64a62e6..e7926fd 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "name": "create-github-app-token", "private": true, "type": "module", - "version": "2.0.2", + "version": "2.0.3", "description": "GitHub Action for creating a GitHub App Installation Access Token", "scripts": { "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0 --packages=bundle",