From 2950cbc446a8d3030ea17d3f7cbdd3c0fce4b0f5 Mon Sep 17 00:00:00 2001
From: Parker Brown <17183625+parkerbxyz@users.noreply.github.com>
Date: Fri, 2 May 2025 11:44:01 -0700
Subject: [PATCH 1/2] fix: permission input handling (#243)

This pull request fixes the handling of permissions inputs.

- Updated `getPermissionsFromInputs` in
`lib/get-permissions-from-inputs.js` to use hyphens
(`INPUT_PERMISSION-`) instead of underscores (`INPUT_PERMISSION_`) in
input keys, added a check to skip empty values, and clarified behavior
when no permissions are set.
- Added a `shouldRetry` function to retry requests when server errors
(HTTP status 500 or higher) occur in the `main` function in
`lib/main.js` to prevent unnecessary retries.
- Updated test cases in `tests/main-token-permissions-set.test.js` to
match the new input key format with hyphens.
- Added a default empty string for unset inputs (e.g.,
`INPUT_PERMISSION-ADMINISTRATION`) in `tests/main.js` to simulate the
behavior of the Actions runner.
- Updated snapshots in `tests/snapshots/index.js.md` to reflect the
updated hyphenated input keys in permissions.

---------

Co-authored-by: Gregor Martynus <39992+gr2m@users.noreply.github.com>
---
 lib/get-permissions-from-inputs.js       |   7 +++++--
 lib/main.js                              |   1 +
 tests/main-token-permissions-set.test.js |   4 ++--
 tests/main.js                            |   8 +++++---
 tests/snapshots/index.js.md              |   2 +-
 tests/snapshots/index.js.snap            | Bin 1392 -> 1392 bytes
 6 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/lib/get-permissions-from-inputs.js b/lib/get-permissions-from-inputs.js
index 7458155..7777d94 100644
--- a/lib/get-permissions-from-inputs.js
+++ b/lib/get-permissions-from-inputs.js
@@ -7,9 +7,12 @@
  */
 export function getPermissionsFromInputs(env) {
   return Object.entries(env).reduce((permissions, [key, value]) => {
-    if (!key.startsWith("INPUT_PERMISSION_")) return permissions;
+    if (!key.startsWith("INPUT_PERMISSION-")) return permissions;
+    if (!value) return permissions;
 
-    const permission = key.slice("INPUT_PERMISSION_".length).toLowerCase();
+    const permission = key.slice("INPUT_PERMISSION-".length).toLowerCase();
+
+    // Inherit app permissions if no permissions inputs are set
     if (permissions === undefined) {
       return { [permission]: value };
     }
diff --git a/lib/main.js b/lib/main.js
index f07947f..3ec39b5 100644
--- a/lib/main.js
+++ b/lib/main.js
@@ -89,6 +89,7 @@ export async function main(
           permissions
         ),
       {
+        shouldRetry: (error) => error.status >= 500,
         onFailedAttempt: (error) => {
           core.info(
             `Failed to create token for "${parsedRepositoryNames.join(
diff --git a/tests/main-token-permissions-set.test.js b/tests/main-token-permissions-set.test.js
index b3f6386..19746ac 100644
--- a/tests/main-token-permissions-set.test.js
+++ b/tests/main-token-permissions-set.test.js
@@ -2,6 +2,6 @@ import { test } from "./main.js";
 
 // Verify `main` successfully sets permissions
 await test(() => {
-  process.env.INPUT_PERMISSION_ISSUES = `write`;
-  process.env.INPUT_PERMISSION_PULL_REQUESTS = `read`;
+  process.env["INPUT_PERMISSION-ISSUES"] = `write`;
+  process.env["INPUT_PERMISSION-PULL-REQUESTS"] = `read`;
 });
diff --git a/tests/main.js b/tests/main.js
index 792da70..5466529 100644
--- a/tests/main.js
+++ b/tests/main.js
@@ -38,6 +38,8 @@ so0tiQKBgGQXZaxaXhYUcxYHuCkQ3V4Vsj3ezlM92xXlP32SGFm3KgFhYy9kATxw
 Cax1ytZzvlrKLQyQFVK1COs2rHt7W4cJ7op7C8zXfsigXCiejnS664oAuX8sQZID
 x3WQZRiXlWejSMUAHuMwXrhGlltF3lw83+xAjnqsVp75kGS6OH61
 -----END RSA PRIVATE KEY-----`,
+  // The Actions runner sets all inputs to empty strings if not set.
+  "INPUT_PERMISSION-ADMINISTRATION": "",
 };
 
 export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
@@ -61,7 +63,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
   const owner = env.INPUT_OWNER ?? env.GITHUB_REPOSITORY_OWNER;
   const currentRepoName = env.GITHUB_REPOSITORY.split("/")[1];
   const repo = encodeURIComponent(
-    (env.INPUT_REPOSITORIES ?? currentRepoName).split(",")[0],
+    (env.INPUT_REPOSITORIES ?? currentRepoName).split(",")[0]
   );
 
   mockPool
@@ -77,7 +79,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
     .reply(
       200,
       { id: mockInstallationId, app_slug: mockAppSlug },
-      { headers: { "content-type": "application/json" } },
+      { headers: { "content-type": "application/json" } }
     );
 
   // Mock installation access token request
@@ -98,7 +100,7 @@ export async function test(cb = (_mockPool) => {}, env = DEFAULT_ENV) {
     .reply(
       201,
       { token: mockInstallationAccessToken, expires_at: mockExpiresAt },
-      { headers: { "content-type": "application/json" } },
+      { headers: { "content-type": "application/json" } }
     );
 
   // Run the callback
diff --git a/tests/snapshots/index.js.md b/tests/snapshots/index.js.md
index e419536..55b25ba 100644
--- a/tests/snapshots/index.js.md
+++ b/tests/snapshots/index.js.md
@@ -331,7 +331,7 @@ Generated by [AVA](https://avajs.dev).
     --- REQUESTS ---␊
     GET /repos/actions/create-github-app-token/installation␊
     POST /app/installations/123456/access_tokens␊
-    {"repositories":["create-github-app-token"],"permissions":{"issues":"write","pull_requests":"read"}}`
+    {"repositories":["create-github-app-token"],"permissions":{"issues":"write","pull-requests":"read"}}`
 
 ## post-revoke-token-fail-response.test.js
 
diff --git a/tests/snapshots/index.js.snap b/tests/snapshots/index.js.snap
index e66c3d55e1416e7ac7aff4b1d2b5c4e6ce80213f..0b63dabc7db6f383c4adb398cbab95a6b6bd508f 100644
GIT binary patch
delta 210
zcmV;@04@LU3h)XtK~_N^Q*L2!b7*gLAa*kf0{}UX?Ak`Njah&ex^i+3rE9%kwGNje
z2A?1>h(IvW%CE69sRVx-JwBk7pJOCjdp=nWMa(LVeSpDZQC!o5|AT7kcPF2l=8y(1
zQrt9~isLe=rHVqLC#)u!{No%2F~Szjo}B^JY6{h21SJl;On8s^{#b@%h!YR~6TmXL
z$HB)bQ16ZF(*yh5nkdYfYVt)Y{U>LpNB*QB&N30rhY2(pZx0p@K22eHKf*HJg{AWU
M2O(JQRWK<40CJ370RR91

delta 210
zcmV;@04@LU3h)XtK~_N^Q*L2!b7*gLAa*kf0{}dx%ADPW$4F3tl6IdP_G4l`3*6@e
zn%uz4FvQ+P;k&UisRVzTqxgVUevXlB?fGOi6fvtb_5lWuMR83J{tv3D-<^DJnnN16
zNO99_DvryfmMRK~p0Ju^@{e;A#0Xn7dv*p?t0`2A5tKOWGT}Yu`(qi7Ax=E_PXNp0
z9tR(%K)pAvPY>*KYoah`s>v6r^q-uW9{H1kILkydA12Ubyge2;_%wy({Rqo=7naKZ
MANPLytuQG70Ev)cB>(^b


From 4821f52fa7a8e45784f1d99cdb1c27bec9f00720 Mon Sep 17 00:00:00 2001
From: semantic-release-bot <semantic-release-bot@martynus.net>
Date: Fri, 2 May 2025 18:44:32 +0000
Subject: [PATCH 2/2] build(release): 2.0.4 [skip ci]

## [2.0.4](https://github.com/actions/create-github-app-token/compare/v2.0.3...v2.0.4) (2025-05-02)

### Bug Fixes

* permission input handling ([#243](https://github.com/actions/create-github-app-token/issues/243)) ([2950cbc](https://github.com/actions/create-github-app-token/commit/2950cbc446a8d3030ea17d3f7cbdd3c0fce4b0f5))
---
 dist/main.cjs     | 6 ++++--
 package-lock.json | 4 ++--
 package.json      | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/dist/main.cjs b/dist/main.cjs
index a977f68..c0c6a0e 100644
--- a/dist/main.cjs
+++ b/dist/main.cjs
@@ -42394,8 +42394,9 @@ function createAppAuth(options) {
 // lib/get-permissions-from-inputs.js
 function getPermissionsFromInputs(env) {
   return Object.entries(env).reduce((permissions2, [key, value]) => {
-    if (!key.startsWith("INPUT_PERMISSION_")) return permissions2;
-    const permission = key.slice("INPUT_PERMISSION_".length).toLowerCase();
+    if (!key.startsWith("INPUT_PERMISSION-")) return permissions2;
+    if (!value) return permissions2;
+    const permission = key.slice("INPUT_PERMISSION-".length).toLowerCase();
     if (permissions2 === void 0) {
       return { [permission]: value };
     }
@@ -42568,6 +42569,7 @@ async function main(appId2, privateKey2, owner2, repositories2, permissions2, co
         permissions2
       ),
       {
+        shouldRetry: (error) => error.status >= 500,
         onFailedAttempt: (error) => {
           core3.info(
             `Failed to create token for "${parsedRepositoryNames.join(
diff --git a/package-lock.json b/package-lock.json
index 13776a1..3edd92b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "create-github-app-token",
-  "version": "2.0.3",
+  "version": "2.0.4",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "create-github-app-token",
-      "version": "2.0.3",
+      "version": "2.0.4",
       "license": "MIT",
       "dependencies": {
         "@actions/core": "^1.11.1",
diff --git a/package.json b/package.json
index e7926fd..be24d43 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "name": "create-github-app-token",
   "private": true,
   "type": "module",
-  "version": "2.0.3",
+  "version": "2.0.4",
   "description": "GitHub Action for creating a GitHub App Installation Access Token",
   "scripts": {
     "build": "esbuild main.js post.js --bundle --outdir=dist --out-extension:.js=.cjs --platform=node --target=node20.0.0 --packages=bundle",

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://clevelandohioweatherforecast.com/php-proxy/index.php?q=https://github.com/actions/create-github-app-token/compare/v2.0.3...v2.0.4.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/index.php?u=https://github.com/actions/create-github-app-token/compare/v2.0.3...v2.0.4.patch" target="_blank">pFad Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v3index.php?u=https://github.com/actions/create-github-app-token/compare/v2.0.3...v2.0.4.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v4index.php?u=https://github.com/actions/create-github-app-token/compare/v2.0.3...v2.0.4.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>