Add permissions input (#40)

tibdex · Jul 12, 2022 · f66c1c3 · f66c1c3
1 parent c95b1c4
commit f66c1c3
Show file tree

Hide file tree

Showing 6 changed files with 593 additions and 447 deletions.
diff --git a/README.md b/README.md
@@ -18,11 +18,20 @@ jobs:
         uses: tibdex/github-app-token@v1
         with:
           app_id: ${{ secrets.APP_ID }}
-          private_key: ${{ secrets.PRIVATE_KEY }}
+
           # Optional (defaults to ID of the repository's installation).
           # installation_id: 1337
+
+          # Optional (defaults to all the Github App permissions).
+          # Using a YAML multiline string to avoid escaping the JSON quotes.
+          # permissions: >-
+          #   {"members": "read"}
+
+          private_key: ${{ secrets.PRIVATE_KEY }}
+
           # Optional (defaults to the current repository).
           # repository: "owner/repo"
+
       - name: Use token
         env:
           TOKEN: ${{ steps.generate_token.outputs.token }}

diff --git a/action.yml b/action.yml
@@ -12,6 +12,8 @@ inputs:
     description: The ID of the installation for which the token will be requested (defaults to the ID of the repository's installation).
   repository:
     description: The full name of the repository for which the token will be requested (defaults to the current repository).
+  permissions:
+    description: The JSON-stringified permissions granted to the token (defaults to all the GitHub app permissions, see https://docs.github.com/en/rest/apps/apps#create-an-installation-access-token-for-an-app).
 outputs:
   token:
     description: An installation token for the GitHub App on the requested repository.

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "github-app-token",
-  "version": "1.5.2",
+  "version": "1.6.0",
   "license": "MIT",
   "type": "module",
   "files": [
@@ -14,26 +14,26 @@
     "xo": "xo"
   },
   "dependencies": {
-    "@actions/core": "^1.6.0",
-    "@actions/github": "^5.0.1",
-    "@octokit/auth-app": "^3.6.1",
-    "@octokit/request": "^5.6.3",
+    "@actions/core": "^1.9.0",
+    "@actions/github": "^5.0.3",
+    "@octokit/auth-app": "^4.0.4",
+    "@octokit/request": "^6.0.2",
     "ensure-error": "^4.0.0",
     "is-base64": "^1.1.0"
   },
   "devDependencies": {
     "@types/error-cause": "^1.0.1",
     "@types/is-base64": "^1.1.1",
     "@types/node": "^16.11.26",
-    "@vercel/ncc": "^0.33.3",
+    "@vercel/ncc": "^0.34.0",
     "eslint-config-prettier": "^8.5.0",
     "eslint-plugin-import": "^2.26.0",
     "eslint-plugin-sort-destructure-keys": "^1.4.0",
     "eslint-plugin-typescript-sort-keys": "^2.1.0",
     "prettier": "^2.6.2",
-    "prettier-plugin-packagejson": "^2.2.17",
-    "typescript": "^4.7.0-beta",
-    "xo": "^0.48.0",
-    "yarn-deduplicate": "^4.0.0"
+    "prettier-plugin-packagejson": "^2.2.18",
+    "typescript": "^4.7.4",
+    "xo": "^0.50.0",
+    "yarn-deduplicate": "^5.0.0"
   }
 }
diff --git a/src/fetch-installation-token.ts b/src/fetch-installation-token.ts
@@ -8,12 +8,14 @@ export const fetchInstallationToken = async ({
   appId,
   installationId,
   owner,
+  permissions,
   privateKey,
   repo,
 }: Readonly<{
   appId: string;
   installationId?: number;
   owner: string;
+  permissions?: Record<string, string>;
   privateKey: string;
   repo: string;
 }>): Promise<string> => {
@@ -42,6 +44,10 @@ export const fetchInstallationToken = async ({
     }
   }
 
-  const installation = await app({ installationId, type: "installation" });
+  const installation = await app({
+    installationId,
+    permissions,
+    type: "installation",
+  });
   return installation.token;
 };
diff --git a/src/index.ts b/src/index.ts
@@ -8,21 +8,32 @@ import { fetchInstallationToken } from "./fetch-installation-token.js";
 const run = async () => {
   try {
     const appId = getInput("app_id", { required: true });
+
+    const installationIdInput = getInput("installation_id");
+    const installationId = installationIdInput
+      ? Number(installationIdInput)
+      : undefined;
+
+    const permissionsInput = getInput("permissions");
+    const permissions = permissionsInput
+      ? (JSON.parse(permissionsInput) as Record<string, string>)
+      : undefined;
+
     const privateKeyInput = getInput("private_key", { required: true });
     const privateKey = isBase64(privateKeyInput)
       ? Buffer.from(privateKeyInput, "base64").toString("utf8")
       : privateKeyInput;
 
-    const installationId = getInput("installation_id");
     const repositoryInput = getInput("repository");
     const [owner, repo] = repositoryInput
       ? repositoryInput.split("/")
       : [context.repo.owner, context.repo.repo];
 
     const installationToken = await fetchInstallationToken({
       appId,
-      installationId: installationId ? Number(installationId) : undefined,
+      installationId,
       owner,
+      permissions,
       privateKey,
       repo,
     });