From a3c826a2042b1cef171cbabedfd93c93623f4061 Mon Sep 17 00:00:00 2001 From: nakatani-yo <32811020+nakatani-yo@users.noreply.github.com> Date: Fri, 11 Apr 2025 03:39:20 +0900 Subject: [PATCH 1/4] docs: fix typo in CONTRIBUTING.md (#233) --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 566a8fe..8bcfa29 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -12,4 +12,4 @@ Run tests locally npm test ``` -Learn more about how the tests work in [test/README.md](test/README.md). +Learn more about how the tests work in [tests/README.md](tests/README.md). From 9ba274d954c9af64fbf4cec63082d0e3f57e9b5f Mon Sep 17 00:00:00 2001 From: CarolMebiom <59604360+CarolMebiom@users.noreply.github.com> Date: Fri, 25 Apr 2025 19:32:06 +0100 Subject: [PATCH 2/4] fix(README): use `v2` in examples (#234) Fixes #232 --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 91efed1..4a73bc3 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: app-id: ${{ vars.APP_ID }} @@ -47,7 +47,7 @@ jobs: auto-format: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: # required @@ -73,7 +73,7 @@ jobs: auto-format: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: # required @@ -98,7 +98,7 @@ jobs: auto-format: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: # required @@ -135,7 +135,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: app-id: ${{ vars.APP_ID }} @@ -157,7 +157,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: app-id: ${{ vars.APP_ID }} @@ -182,7 +182,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: app-id: ${{ vars.APP_ID }} @@ -207,7 +207,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: app-id: ${{ vars.APP_ID }} @@ -249,7 +249,7 @@ jobs: owners-and-repos: ${{ fromJson(needs.set-matrix.outputs.matrix) }} steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v2 id: app-token with: app-id: ${{ vars.APP_ID }} @@ -279,7 +279,7 @@ jobs: steps: - name: Create GitHub App token id: create_token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@v2 with: app-id: ${{ vars.GHES_APP_ID }} private-key: ${{ secrets.GHES_APP_PRIVATE_KEY }} @@ -318,7 +318,7 @@ steps: echo "private-key=$private_key" >> "$GITHUB_OUTPUT" - name: Generate GitHub App Token id: app-token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@v2 with: app-id: ${{ vars.APP_ID }} private-key: ${{ steps.decode.outputs.private-key }} From c3c17c79ccedec31f588e88d6ad5ff9036afe580 Mon Sep 17 00:00:00 2001 From: Yuta Kasai Date: Sat, 26 Apr 2025 03:59:34 +0900 Subject: [PATCH 3/4] fix: use `core.getBooleanInput()` to retrieve boolean input values (#223) This PR switches from evaluating values passed to `skip-token-revoke` as true if they are truthy in JavaScript, to using `getBooleanInput`. This change ensures that only proper YAML boolean values are recognized, preventing unintended evaluations to true. - The definition of `getBooleanInput` is here: definition of `core#getBooealnInput` is here: https://github.com/actions/toolkit/blob/930c89072712a3aac52d74b23338f00bb0cfcb24/packages/core/src/core.ts#L188-L208 The documentation states, `"If truthy, the token will not be revoked when the current job is complete"`, so this change could be considered a breaking change. This means that if there are users who rely on `truthy` and expect values like whitespace or `"false"` to be evaluated as true (though this is likely rare), it would be a breaking change. - `Boolean(" ")` and `Boolean("false")` are both evaluated as true. Alternatively, it can simply be considered a fix. How to handle this is up to the maintainer. Resolves https://github.com/actions/create-github-app-token/issues/216 --- README.md | 4 ++-- action.yml | 3 ++- lib/post.js | 2 +- main.js | 2 +- tests/main.js | 1 + tests/post-revoke-token-fail-response.test.js | 1 + tests/post-token-expired.test.js | 4 ++++ tests/post-token-set.test.js | 1 + tests/post-token-unset.test.js | 4 ++++ 9 files changed, 17 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 4a73bc3..f72b653 100644 --- a/README.md +++ b/README.md @@ -343,7 +343,7 @@ The reason we define one `permision-` input per permission is t ### `skip-token-revoke` -**Optional:** If truthy, the token will not be revoked when the current job is complete. +**Optional:** If true, the token will not be revoked when the current job is complete. ### `github-api-url` @@ -370,7 +370,7 @@ The action creates an installation access token using [the `POST /app/installati 1. The token is scoped to the current repository or `repositories` if set. 2. The token inherits all the installation's permissions. 3. The token is set as output `token` which can be used in subsequent steps. -4. Unless the `skip-token-revoke` input is set to a truthy value, the token is revoked in the `post` step of the action, which means it cannot be passed to another job. +4. Unless the `skip-token-revoke` input is set to true, the token is revoked in the `post` step of the action, which means it cannot be passed to another job. 5. The token is masked, it cannot be logged accidentally. > [!NOTE] diff --git a/action.yml b/action.yml index 33b9fb1..ab7d7f3 100644 --- a/action.yml +++ b/action.yml @@ -18,8 +18,9 @@ inputs: description: "Comma or newline-separated list of repositories to install the GitHub App on (defaults to current repository if owner is unset)" required: false skip-token-revoke: - description: "If truthy, the token will not be revoked when the current job is complete" + description: "If true, the token will not be revoked when the current job is complete" required: false + default: "false" # Make GitHub API configurable to support non-GitHub Cloud use cases # see https://github.com/actions/create-github-app-token/issues/77 github-api-url: diff --git a/lib/post.js b/lib/post.js index f21174d..4719964 100644 --- a/lib/post.js +++ b/lib/post.js @@ -5,7 +5,7 @@ * @param {import("@octokit/request").request} request */ export async function post(core, request) { - const skipTokenRevoke = Boolean(core.getInput("skip-token-revoke")); + const skipTokenRevoke = core.getBooleanInput("skip-token-revoke"); if (skipTokenRevoke) { core.info("Token revocation was skipped"); diff --git a/main.js b/main.js index ac3a7c5..7670378 100644 --- a/main.js +++ b/main.js @@ -24,7 +24,7 @@ const repositories = core .map((s) => s.trim()) .filter((x) => x !== ""); -const skipTokenRevoke = Boolean(core.getInput("skip-token-revoke")); +const skipTokenRevoke = core.getBooleanInput("skip-token-revoke"); const permissions = getPermissionsFromInputs(process.env); diff --git a/tests/main.js b/tests/main.js index 2172752..792da70 100644 --- a/tests/main.js +++ b/tests/main.js @@ -8,6 +8,7 @@ export const DEFAULT_ENV = { // inputs are set as environment variables with the prefix INPUT_ // https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs "INPUT_GITHUB-API-URL": "https://api.github.com", + "INPUT_SKIP-TOKEN-REVOKE": "false", "INPUT_APP-ID": "123456", // This key is invalidated. It’s from https://github.com/octokit/auth-app.js/issues/465#issuecomment-1564998327. "INPUT_PRIVATE-KEY": `-----BEGIN RSA PRIVATE KEY----- diff --git a/tests/post-revoke-token-fail-response.test.js b/tests/post-revoke-token-fail-response.test.js index 6962ca3..b729b55 100644 --- a/tests/post-revoke-token-fail-response.test.js +++ b/tests/post-revoke-token-fail-response.test.js @@ -7,6 +7,7 @@ process.env.STATE_token = "secret123"; // inputs are set as environment variables with the prefix INPUT_ // https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com"; +process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false"; // 1 hour in the future, not expired process.env.STATE_expiresAt = new Date( diff --git a/tests/post-token-expired.test.js b/tests/post-token-expired.test.js index 6479845..62caa6d 100644 --- a/tests/post-token-expired.test.js +++ b/tests/post-token-expired.test.js @@ -7,6 +7,10 @@ process.env.STATE_token = "secret123"; // 1 hour in the past, expired process.env.STATE_expiresAt = new Date(Date.now() - 1000 * 60 * 60).toISOString(); +// inputs are set as environment variables with the prefix INPUT_ +// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs +process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false"; + const mockAgent = new MockAgent(); setGlobalDispatcher(mockAgent); diff --git a/tests/post-token-set.test.js b/tests/post-token-set.test.js index 33697d0..8ae8c36 100644 --- a/tests/post-token-set.test.js +++ b/tests/post-token-set.test.js @@ -7,6 +7,7 @@ process.env.STATE_token = "secret123"; // inputs are set as environment variables with the prefix INPUT_ // https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com"; +process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false"; // 1 hour in the future, not expired process.env.STATE_expiresAt = new Date(Date.now() + 1000 * 60 * 60).toISOString(); diff --git a/tests/post-token-unset.test.js b/tests/post-token-unset.test.js index 7b1922a..32228ef 100644 --- a/tests/post-token-unset.test.js +++ b/tests/post-token-unset.test.js @@ -2,4 +2,8 @@ // https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions delete process.env.STATE_token; +// inputs are set as environment variables with the prefix INPUT_ +// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs +process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false"; + await import("../post.js"); From 30bf6253fa41bdc8d1501d202ad15287582246b4 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Thu, 1 May 2025 15:34:52 +0000 Subject: [PATCH 4/4] build(release): 2.0.3 [skip ci] ## [2.0.3](https://github.com/actions/create-github-app-token/compare/v2.0.2...v2.0.3) (2025-05-01) ### Bug Fixes * **README:** use `v2` in examples ([#234](https://github.com/actions/create-github-app-token/issues/234)) ([9ba274d](https://github.com/actions/create-github-app-token/commit/9ba274d954c9af64fbf4cec63082d0e3f57e9b5f)), closes [#232](https://github.com/actions/create-github-app-token/issues/232) * use `core.getBooleanInput()` to retrieve boolean input values ([#223](https://github.com/actions/create-github-app-token/issues/223)) ([c3c17c7](https://github.com/actions/create-github-app-token/commit/c3c17c79ccedec31f588e88d6ad5ff9036afe580)) --- dist/main.cjs | 2 +- dist/post.cjs | 2 +- package-lock.json | 4 ++-- package.json | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/dist/main.cjs b/dist/main.cjs index 2ad1836..a977f68 100644 --- a/dist/main.cjs +++ b/dist/main.cjs @@ -42673,7 +42673,7 @@ var appId = import_core2.default.getInput("app-id"); var privateKey = import_core2.default.getInput("private-key"); var owner = import_core2.default.getInput("owner"); var repositories = import_core2.default.getInput("repositories").split(/[\n,]+/).map((s) => s.trim()).filter((x) => x !== ""); -var skipTokenRevoke = Boolean(import_core2.default.getInput("skip-token-revoke")); +var skipTokenRevoke = import_core2.default.getBooleanInput("skip-token-revoke"); var permissions = getPermissionsFromInputs(process.env); var main_default = main( appId, diff --git a/dist/post.cjs b/dist/post.cjs index ab17975..40fbec6 100644 --- a/dist/post.cjs +++ b/dist/post.cjs @@ -40308,7 +40308,7 @@ var import_core2 = __toESM(require_core(), 1); // lib/post.js async function post(core3, request2) { - const skipTokenRevoke = Boolean(core3.getInput("skip-token-revoke")); + const skipTokenRevoke = core3.getBooleanInput("skip-token-revoke"); if (skipTokenRevoke) { core3.info("Token revocation was skipped"); return; diff --git a/package-lock.json b/package-lock.json index 4e9016c..13776a1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "create-github-app-token", - "version": "2.0.2", + "version": "2.0.3", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "create-github-app-token", - "version": "2.0.2", + "version": "2.0.3", "license": "MIT", "dependencies": { "@actions/core": "^1.11.1", diff --git a/package.json b/package.json index 64a62e6..e7926fd 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "name": "create-github-app-token", "private": true, "type": "module", - "version": "2.0.2", + "version": "2.0.3", "description": "GitHub Action for creating a GitHub App Installation Access Token", "scripts": { "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0 --packages=bundle", pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy