From b672cdc00e493d55435c08dad8ae293e9bf3937b Mon Sep 17 00:00:00 2001 From: Thibault Derousseaux Date: Tue, 19 Sep 2023 11:43:00 -0400 Subject: [PATCH 1/9] Add option to not revoke token --- README.md | 3 +++ action.yml | 4 ++++ package-lock.json | 20 ++++++++++---------- package.json | 6 +++--- 4 files changed, 20 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 1b5a20b..cb45d13 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,9 @@ jobs: # repositories: >- # ["actions/toolkit", "github/docs"] + # Optional. + # revoke: "false" + - run: "echo 'The created token is masked: ${{ steps.create_token.outputs.token }}'" ``` diff --git a/action.yml b/action.yml index ca7ec4c..74e43f1 100644 --- a/action.yml +++ b/action.yml @@ -41,6 +41,9 @@ inputs: The JSON-stringified array of the full names of the repositories the token should have access to. Defaults to all repositories that the installation can access. See https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app's `repositories`. + revoke: + description: Revoke the token at the end of the job. + default: "true" outputs: token: description: An installation access token for the GitHub App. @@ -48,6 +51,7 @@ runs: using: node20 main: dist/main/index.js post: dist/post/index.js + post-if: fromJson(github.event.inputs.revoke) branding: icon: unlock color: gray-dark diff --git a/package-lock.json b/package-lock.json index f1796ce..2d1403b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,15 +1,15 @@ { "name": "github-app-token", - "version": "2.0.0", + "version": "2.1.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "github-app-token", - "version": "2.0.0", + "version": "2.1.0", "license": "MIT", "dependencies": { - "@actions/core": "^1.10.0", + "@actions/core": "^1.10.1", "@actions/github": "^5.1.1", "@octokit/auth-app": "^6.0.0", "@octokit/request": "^8.1.1", @@ -18,7 +18,7 @@ "devDependencies": { "@trivago/prettier-plugin-sort-imports": "^4.2.0", "@types/is-base64": "^1.1.1", - "@types/node": "^20.6.0", + "@types/node": "^20.6.2", "@vercel/ncc": "^0.38.0", "prettier": "^3.0.3", "prettier-plugin-packagejson": "^2.4.5", @@ -26,9 +26,9 @@ } }, "node_modules/@actions/core": { - "version": "1.10.0", - "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz", - "integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==", + "version": "1.10.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.1.tgz", + "integrity": "sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==", "dependencies": { "@actions/http-client": "^2.0.1", "uuid": "^8.3.2" @@ -701,9 +701,9 @@ } }, "node_modules/@types/node": { - "version": "20.6.0", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.6.0.tgz", - "integrity": "sha512-najjVq5KN2vsH2U/xyh2opaSEz6cZMR2SetLIlxlj08nOcmPOemJmUK2o4kUzfLqfrWE0PIrNeE16XhYDd3nqg==" + "version": "20.6.2", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.6.2.tgz", + "integrity": "sha512-Y+/1vGBHV/cYk6OI1Na/LHzwnlNCAfU3ZNGrc1LdRe/LAIbdDPTTv/HU3M7yXN448aTVDq3eKRm2cg7iKLb8gw==" }, "node_modules/@vercel/ncc": { "version": "0.38.0", diff --git a/package.json b/package.json index 00e65a2..f05683a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "github-app-token", - "version": "2.0.0", + "version": "2.1.0", "license": "MIT", "type": "module", "files": [ @@ -16,7 +16,7 @@ "typecheck": "tsc --build" }, "dependencies": { - "@actions/core": "^1.10.0", + "@actions/core": "^1.10.1", "@actions/github": "^5.1.1", "@octokit/auth-app": "^6.0.0", "@octokit/request": "^8.1.1", @@ -25,7 +25,7 @@ "devDependencies": { "@trivago/prettier-plugin-sort-imports": "^4.2.0", "@types/is-base64": "^1.1.1", - "@types/node": "^20.6.0", + "@types/node": "^20.6.2", "@vercel/ncc": "^0.38.0", "prettier": "^3.0.3", "prettier-plugin-packagejson": "^2.4.5", From e20731e3e6b6aa92adbd69716f8f12f208473219 Mon Sep 17 00:00:00 2001 From: Thibault Derousseaux Date: Tue, 19 Sep 2023 11:51:45 -0400 Subject: [PATCH 2/9] fixup! Add option to not revoke token --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 74e43f1..a56a0ad 100644 --- a/action.yml +++ b/action.yml @@ -51,7 +51,7 @@ runs: using: node20 main: dist/main/index.js post: dist/post/index.js - post-if: fromJson(github.event.inputs.revoke) + post-if: github.event.inputs.revoke == "true" branding: icon: unlock color: gray-dark From 86b770e93b8a692e5a838c0a0bef38424ae763b2 Mon Sep 17 00:00:00 2001 From: Thibault Derousseaux Date: Tue, 19 Sep 2023 11:53:13 -0400 Subject: [PATCH 3/9] fixup! Add option to not revoke token --- .github/workflows/test.yml | 4 ++-- action.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f6834ed..7230259 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,7 +15,7 @@ jobs: node-version: 20 cache: npm - run: npm ci - - run: npm run typecheck + # - run: npm run typecheck - run: npm run build # Optional integration test of the action using a dedicated GitHub App. - id: create_token @@ -27,4 +27,4 @@ jobs: private_key: ${{ secrets.TEST_GITHUB_APP_PRIVATE_KEY }} - if: ${{ steps.create_token.outcome != 'skipped' }} run: node --eval "assert('${{ steps.create_token.outputs.token }}'.length > 0);" - - run: npm run prettier -- --check + # - run: npm run prettier -- --check diff --git a/action.yml b/action.yml index a56a0ad..675f594 100644 --- a/action.yml +++ b/action.yml @@ -51,7 +51,7 @@ runs: using: node20 main: dist/main/index.js post: dist/post/index.js - post-if: github.event.inputs.revoke == "true" + post-if: github.event.inputs.revoke == 'true' branding: icon: unlock color: gray-dark From be108e1c97ac423942a01d06859a3e417bcbe074 Mon Sep 17 00:00:00 2001 From: Thibault Derousseaux Date: Tue, 19 Sep 2023 11:57:24 -0400 Subject: [PATCH 4/9] fixup! Add option to not revoke token --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 675f594..0cda016 100644 --- a/action.yml +++ b/action.yml @@ -51,7 +51,7 @@ runs: using: node20 main: dist/main/index.js post: dist/post/index.js - post-if: github.event.inputs.revoke == 'true' + post-if: inputs.revoke == 'true' branding: icon: unlock color: gray-dark From e91e1a085778aa4003a791bff496a9fc3631eb03 Mon Sep 17 00:00:00 2001 From: Thibault Derousseaux Date: Tue, 19 Sep 2023 11:59:54 -0400 Subject: [PATCH 5/9] fixup! Add option to not revoke token --- src/main.ts | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/src/main.ts b/src/main.ts index 9a0f7f2..64315d9 100644 --- a/src/main.ts +++ b/src/main.ts @@ -1,15 +1,7 @@ -import { info, saveState, setOutput, setSecret } from "@actions/core"; -import { createInstallationAccessToken } from "./create-installation-access-token.js"; -import { parseOptions } from "./parse-options.js"; import { run } from "./run.js"; -import { tokenKey } from "./state.js"; +import { getInput } from "@actions/core"; await run(async () => { - const options = parseOptions(); - const token = await createInstallationAccessToken(options); - setSecret(token); - saveState(tokenKey, token); - setOutput("token", token); - info("Token created successfully"); + console.log(JSON.stringify({value: getInput("revoke")})); }); From 6eb69dd86a4bb8c7b4cc9955043fc37247c4ff55 Mon Sep 17 00:00:00 2001 From: Thibault Derousseaux Date: Tue, 19 Sep 2023 12:03:23 -0400 Subject: [PATCH 6/9] fixup! Add option to not revoke token --- package.json | 2 +- src/main.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index f05683a..0a44813 100644 --- a/package.json +++ b/package.json @@ -8,7 +8,7 @@ "dist" ], "scripts": { - "build": "npm run build:main && npm run build:post", + "build": "npm run build:main", "build:main": "npm run compile -- --out ./dist/main src/main.ts ", "build:post": "npm run compile -- --out ./dist/post src/post.ts", "compile": "ncc build --minify --no-cache --target es2022 --v8-cache", diff --git a/src/main.ts b/src/main.ts index 64315d9..08ee582 100644 --- a/src/main.ts +++ b/src/main.ts @@ -3,5 +3,5 @@ import { run } from "./run.js"; import { getInput } from "@actions/core"; await run(async () => { - console.log(JSON.stringify({value: getInput("revoke")})); + console.log(JSON.stringify({value: JSON.parse(getInput("revoke"))})); }); From bdc651ae85d6ca66679cecc9e0f6a63a52a79a68 Mon Sep 17 00:00:00 2001 From: Thibault Derousseaux Date: Tue, 19 Sep 2023 12:06:10 -0400 Subject: [PATCH 7/9] fixup! Add option to not revoke token --- .github/workflows/test.yml | 5 +++-- action.yml | 1 - package.json | 2 +- src/main.ts | 12 ++++++++++-- src/post.ts | 7 ++++++- 5 files changed, 20 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7230259..4cad037 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,7 +15,7 @@ jobs: node-version: 20 cache: npm - run: npm ci - # - run: npm run typecheck + - run: npm run typecheck - run: npm run build # Optional integration test of the action using a dedicated GitHub App. - id: create_token @@ -25,6 +25,7 @@ jobs: # The only required permission is `Repository permissions > Metadata: Read-only`. app_id: ${{ vars.TEST_GITHUB_APP_ID }} private_key: ${{ secrets.TEST_GITHUB_APP_PRIVATE_KEY }} + revoke: false - if: ${{ steps.create_token.outcome != 'skipped' }} run: node --eval "assert('${{ steps.create_token.outputs.token }}'.length > 0);" - # - run: npm run prettier -- --check + - run: npm run prettier -- --check diff --git a/action.yml b/action.yml index 0cda016..407c8a8 100644 --- a/action.yml +++ b/action.yml @@ -51,7 +51,6 @@ runs: using: node20 main: dist/main/index.js post: dist/post/index.js - post-if: inputs.revoke == 'true' branding: icon: unlock color: gray-dark diff --git a/package.json b/package.json index 0a44813..f05683a 100644 --- a/package.json +++ b/package.json @@ -8,7 +8,7 @@ "dist" ], "scripts": { - "build": "npm run build:main", + "build": "npm run build:main && npm run build:post", "build:main": "npm run compile -- --out ./dist/main src/main.ts ", "build:post": "npm run compile -- --out ./dist/post src/post.ts", "compile": "ncc build --minify --no-cache --target es2022 --v8-cache", diff --git a/src/main.ts b/src/main.ts index 08ee582..9a0f7f2 100644 --- a/src/main.ts +++ b/src/main.ts @@ -1,7 +1,15 @@ +import { info, saveState, setOutput, setSecret } from "@actions/core"; +import { createInstallationAccessToken } from "./create-installation-access-token.js"; +import { parseOptions } from "./parse-options.js"; import { run } from "./run.js"; -import { getInput } from "@actions/core"; +import { tokenKey } from "./state.js"; await run(async () => { - console.log(JSON.stringify({value: JSON.parse(getInput("revoke"))})); + const options = parseOptions(); + const token = await createInstallationAccessToken(options); + setSecret(token); + saveState(tokenKey, token); + setOutput("token", token); + info("Token created successfully"); }); diff --git a/src/post.ts b/src/post.ts index 9ffc13c..0d2680e 100644 --- a/src/post.ts +++ b/src/post.ts @@ -1,10 +1,15 @@ -import { getState, info } from "@actions/core"; +import { getInput, getState, info } from "@actions/core"; import { revokeInstallationAccessToken } from "./revoke-installation-access-token.js"; import { run } from "./run.js"; import { tokenKey } from "./state.js"; await run(async () => { + if (!JSON.parse(getInput("revoke"))) { + info("Token revocation skipped"); + return; + } + const token = getState(tokenKey); if (!token) { info("No token to revoke"); From f8bc6bd0eee3ee69f337edb09f6f7d7c80e7eaa9 Mon Sep 17 00:00:00 2001 From: Thibault Derousseaux Date: Tue, 19 Sep 2023 12:07:18 -0400 Subject: [PATCH 8/9] fixup! Add option to not revoke token --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4cad037..522904b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,7 +25,7 @@ jobs: # The only required permission is `Repository permissions > Metadata: Read-only`. app_id: ${{ vars.TEST_GITHUB_APP_ID }} private_key: ${{ secrets.TEST_GITHUB_APP_PRIVATE_KEY }} - revoke: false + revoke: true - if: ${{ steps.create_token.outcome != 'skipped' }} run: node --eval "assert('${{ steps.create_token.outputs.token }}'.length > 0);" - run: npm run prettier -- --check From 44e1c6f861df5a26e4c9b6b21eb7a5c56f45d4e2 Mon Sep 17 00:00:00 2001 From: Thibault Derousseaux Date: Tue, 19 Sep 2023 12:08:35 -0400 Subject: [PATCH 9/9] fixup! Add option to not revoke token --- .github/workflows/test.yml | 1 - README.md | 2 +- action.yml | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 522904b..f6834ed 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,7 +25,6 @@ jobs: # The only required permission is `Repository permissions > Metadata: Read-only`. app_id: ${{ vars.TEST_GITHUB_APP_ID }} private_key: ${{ secrets.TEST_GITHUB_APP_PRIVATE_KEY }} - revoke: true - if: ${{ steps.create_token.outcome != 'skipped' }} run: node --eval "assert('${{ steps.create_token.outputs.token }}'.length > 0);" - run: npm run prettier -- --check diff --git a/README.md b/README.md index cb45d13..6e23369 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ jobs: # ["actions/toolkit", "github/docs"] # Optional. - # revoke: "false" + # revoke: false - run: "echo 'The created token is masked: ${{ steps.create_token.outputs.token }}'" ``` diff --git a/action.yml b/action.yml index 407c8a8..4146f35 100644 --- a/action.yml +++ b/action.yml @@ -43,7 +43,7 @@ inputs: See https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app's `repositories`. revoke: description: Revoke the token at the end of the job. - default: "true" + default: true outputs: token: description: An installation access token for the GitHub App.