Try revoking token

tibdex · Sep 9, 2023 · b69f2b8 · b69f2b8
1 parent 117f1dd
commit b69f2b8
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 23 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -18,12 +18,16 @@ jobs:
       - run: npm run build
       - run: npm run prettier -- --check
       # Optional integration test of the action using a dedicated GitHub App.
-      - id: generate_token
+      - id: create_token
         if: ${{ vars.TEST_GITHUB_APP_ID != '' }}
         uses: ./
         with:
           # The only required permission is `Repository permissions > Metadata: Read-only`.
           app_id: ${{ vars.TEST_GITHUB_APP_ID }}
           private_key: ${{ secrets.TEST_GITHUB_APP_PRIVATE_KEY }}
-      - run: node --eval "assert('${{ steps.generate_token.outputs.token }}'.length > 0);"
-        if: ${{ steps.generate_token.outcome != 'skipped' }}
+      - name: Revoke token
+        env:
+          GITHUB_TOKEN: ${{ steps.create_token.outputs.token }}
+
+      - run: node --eval "assert('${{ steps.create_token.outputs.token }}'.length > 0);"
+        if: ${{ steps.create_token.outcome != 'skipped' }}
diff --git a/README.md b/README.md
@@ -18,8 +18,8 @@ jobs:
   job:
     runs-on: ubuntu-latest
     steps:
-      - name: Generate token
-        id: generate_token
+      - name: Create token
+        id: create_token
         uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.APP_ID }}
@@ -46,9 +46,9 @@ jobs:
 
       - name: Use token
         env:
-          TOKEN: ${{ steps.generate_token.outputs.token }}
+          TOKEN: ${{ steps.create_token.outputs.token }}
         run: |
-          echo "The generated token is masked: ${TOKEN}"
+          echo "The created token is masked: ${TOKEN}"
 ```
 
 [Another use case for this action can (or could) be found in GitHub's own docs](https://web.archive.org/web/20230115194214/https://docs.github.com/en/issues/planning-and-tracking-with-projects/automating-your-project/automating-projects-using-actions#example-workflow-authenticating-with-a-github-app).
diff --git a/action.yml b/action.yml
@@ -14,9 +14,9 @@ inputs:
 
       One of:
       - id: use the installation with the specified ID.
-      - organization: fetch an organization installation (https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-an-organization-installation-for-the-authenticated-app).
-      - repository: fetch a repository installation (https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app).
-      - user: fetch a user installation (https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app).
+      - organization: use an organization installation (https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-an-organization-installation-for-the-authenticated-app).
+      - repository: use a repository installation (https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app).
+      - user: use a user installation (https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app).
     default: repository
   installation_retrieval_payload:
     description: >-
@@ -31,19 +31,19 @@ inputs:
   permissions:
     description: >-
       The JSON-stringified permissions granted to the token.
-      Default to all the GitHub app permissions.
+      Defaults to all permissions granted to the GitHub app.
       See https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app's `permissions`.
   private_key:
     description: Private key of the GitHub App (can be Base64 encoded).
     required: true
   repositories:
     description: >-
       The JSON-stringified array of the full names of the repositories the token should have access to.
-      Default to all repositories that the installation can access.
-      See See https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app's `repositories`.
+      Defaults to all repositories that the installation can access.
+      See https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app's `repositories`.
 outputs:
   token:
-    description: An installation token for the GitHub App on the requested repositories.
+    description: An installation access token for the GitHub App.
 runs:
   using: node20
   main: dist/index.js

diff --git a/src/fetch-installation-token.ts → src/create-installation-access-token.ts b/src/fetch-installation-token.ts → src/create-installation-access-token.ts
@@ -5,7 +5,7 @@ import { request } from "@octokit/request";
 
 import { InstallationRetrievalDetails } from "./installation-retrieval-details.js";
 
-export const fetchInstallationToken = async ({
+export const createInstallationAccessToken = async ({
   appId,
   githubApiUrl,
   installationRetrievalDetails,
@@ -65,18 +65,16 @@ export const fetchInstallationToken = async ({
         break;
     }
   } catch (error: unknown) {
-    throw new Error("Could not get retrieve installation.", { cause: error });
+    throw new Error("Could not retrieve installation.", { cause: error });
   }
 
   debug(`Retrieved installation ID: ${installationId}.`);
 
   try {
+
     const {
       data: { token },
-    } = await octokit.rest.apps.createInstallationAccessToken({
-      installation_id: installationId,
-      permissions,
-    });
+    } = await octokit.request("POST /app/installations/{installation_id}/access_tokens", {installation_id: installationId, permissions, repositories});
     return token;
   } catch (error: unknown) {
     throw new Error("Could not create installation access token.", {

diff --git a/src/index.ts b/src/index.ts
@@ -10,7 +10,7 @@ import {
 } from "@actions/core";
 import isBase64 from "is-base64";
 
-import { fetchInstallationToken } from "./fetch-installation-token.js";
+import { createInstallationAccessToken } from "./create-installation-access-token.js";
 import { getInstallationRetrievalDetails } from "./installation-retrieval-details.js";
 
 try {
@@ -53,7 +53,7 @@ try {
     : undefined;
   debug(`Requested repositories: ${JSON.stringify(repositories)}.`);
 
-  const token = await fetchInstallationToken({
+  const token = await createInstallationAccessToken({
     appId,
     githubApiUrl,
     installationRetrievalDetails,
@@ -64,7 +64,7 @@ try {
 
   setSecret(token);
   setOutput("token", token);
-  info("Token generated successfully!");
+  info("Token created successfully!");
 } catch (error) {
   // Using `console.error()` instead of only passing `error` to `setFailed()` for better error reporting.
   // See https://github.com/actions/toolkit/issues/1527.