Stefan
952a2a7073
This pull request adds support for generating GitHub App installation
tokens for enterprise-level installations.
### What changed
- Added a new `enterprise` input to `action.yml`.
- Wired `enterprise` through `main.js` and `lib/main.js`.
- Added validation so `enterprise` cannot be combined with `owner` or
`repositories`.
- Implemented enterprise installation lookup using the direct GitHub API
route `GET /enterprises/{enterprise}/installation`, then used the
returned installation ID to mint an installation token through
`@octokit/auth-app`.
- Updated `README.md` with enterprise installation usage and input
documentation.
- Updated `dist/main.cjs` for the bundled action.
- Shared token creation retry behavior across repository, owner, and
enterprise paths so server errors and transient network errors are
retried, while client errors fail immediately.
### Tests
Added focused test coverage for:
- enterprise token creation
- enterprise token creation with explicit permissions
- enterprise installation not found
- mutual exclusivity with `owner`
- mutual exclusivity with `repositories`
- owner installation client errors are not retried
- transient network errors are retried during token creation
### Notes
- This keeps the existing repository-scoped token behavior unchanged.
- Owner, repository, and enterprise token creation now share the same
retry policy: server errors and recognized transient network errors are
retried, while client errors fail immediately. This intentionally fixes
the previous owner-path behavior that retried client errors.
Refs:
-
https://github.blog/changelog/2025-07-01-enterprise-level-access-for-github-apps-and-installation-automation-apis/
-
https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-an-enterprise-installation-for-the-authenticated-app
---------
Co-authored-by: Parker Brown <17183625+parkerbxyz@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
58 lines
1.6 KiB
JavaScript
58 lines
1.6 KiB
JavaScript
// @ts-check
|
|
|
|
import * as core from "@actions/core";
|
|
import { createAppAuth } from "@octokit/auth-app";
|
|
|
|
import { getPermissionsFromInputs } from "./lib/get-permissions-from-inputs.js";
|
|
import { main } from "./lib/main.js";
|
|
import request, { ensureNativeProxySupport } from "./lib/request.js";
|
|
|
|
if (!process.env.GITHUB_REPOSITORY) {
|
|
throw new Error("GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'");
|
|
}
|
|
|
|
if (!process.env.GITHUB_REPOSITORY_OWNER) {
|
|
throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
|
|
}
|
|
|
|
async function run() {
|
|
ensureNativeProxySupport();
|
|
|
|
const clientId = core.getInput("client-id") || core.getInput("app-id");
|
|
if (!clientId) {
|
|
throw new Error("The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string. If using a secret or variable, ensure it is available in this workflow context.");
|
|
}
|
|
const privateKey = core.getInput("private-key");
|
|
const enterprise = core.getInput("enterprise");
|
|
const owner = core.getInput("owner");
|
|
const repositories = core
|
|
.getInput("repositories")
|
|
.split(/[\n,]+/)
|
|
.map((s) => s.trim())
|
|
.filter((x) => x !== "");
|
|
|
|
const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
|
|
|
|
const permissions = getPermissionsFromInputs(process.env);
|
|
|
|
return main(
|
|
clientId,
|
|
privateKey,
|
|
enterprise,
|
|
owner,
|
|
repositories,
|
|
permissions,
|
|
core,
|
|
createAppAuth,
|
|
request,
|
|
skipTokenRevoke,
|
|
);
|
|
}
|
|
|
|
// Export promise for testing
|
|
export default run().catch((error) => {
|
|
/* c8 ignore next 3 */
|
|
console.error(error);
|
|
core.setFailed(error.message);
|
|
});
|