Hello!
Im developing a git bot that can be integrated with Github.
Up until now we used the auto-generated GITHUB_TOKEN for this product so it can create new PRs in a git repository.
The bot can be triggered manually or periodically as an Github Action.
So far it worked fine but suddenly whenever a new PR is opened by the bot's action it will not trigger other workflows that should be triggered in the repository.
I read your docs that using GITHUB_TOKEN doesn't allow a workflow to trigger another workflow.
I wanted to ask when this change was introduced? We didn't experience this issue so far.
Is using GitHub app token or private token the only replacements I can use to achieve what I want?
Thank you!

originally posted by @harshtrivedi134 at octokit/octokit.js#2569

Describe the need

Reference from discussion
I was creating an access token for a github app installed in a different organization and repository. I learned about https://github.com/actions/create-github-app-token#create-a-token-for-all-repositories-in-another-owners-installation.

Similar to the baseUrl option in Octokit constructor, it would be great if we could specify the github API url as an input to this action

      - uses: actions/create-github-app-token@v1
        id: get-access-token
        with:
          app-id: APP_ID
          private-key: PRIVATE_KEY
          base-url: https://slack-github.com/api/

I tried creating an access token for my github app installed in a different organization by specifying the owner and repository using the following:

      - uses: actions/create-github-app-token@v1
        id: get-access-token
        with:
          app-id: APP_ID
          private-key: PRIVATE_KEY
          owner: "owner"
          repositories: |
            owner/repo_name

However, the default github API hostname/url is set to api.github.com and we cannot change it to a custom hosted github installation.

Code of Conduct

• I agree to follow this project's Code of Conduct

We do have two private repositories in our organization, let's call them: library and project. The library is hosted in the Maven GitHub repository. The project workflow is using a personal access token for authorization (according to documentation.

Now we want to migrate to actions/create-github-app-token, but I was unable to create a working solution.

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Get token from Github App
      uses: actions/create-github-app-token@v1
      id: app-token
      with:
        app-id: ${{ secrets.GET_TOKEN_APP_ID }}
        private-key: ${{ secrets.GET_TOKEN_APP_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
 
    - name: Set up Maven
      uses: actions/setup-java@v4
      with:
        java-version: '17'
        distribution: 'corretto'
        cache: 'maven'
        server-username: MAVEN_USERNAME
        server-password: MAVEN_PASSWORD

    - name: Build and Package
      run: |
        cd project
        mvn clean package
      env:
        MAVEN_USERNAME: ${{ github.actor }}
        MAVEN_PASSWORD: ${{ steps.app-token.outputs.token }}

I've tried multiple configurations but always end up with the following error:

Authentication failed for https://maven.pkg.github.com//repo/..., status: 401 Unauthorized -> [Help 1]

What I'm guessing is that create-github-app-token doesn't support a personal access token. Could you confirm if this is the case?

Current behavior

Output tokens cannot be used across jobs. This causes jobs that depend on said token to fail.

4. Unless the skip-token-revoke input is set to a truthy value, the token is revoked in the post step of the action, which means it cannot be passed to another job.

Using skip-token-revoke does not allow a token to be used across jobs, which is what this wording seems to imply.

Possible solutions

• opt-in to token masking + allow revoking token via action input (i.e action: 'revoke')
• fix (clarify) documentation

Additional context

Action summary screenshot

Reading through the code, it wouldn’t hurt to explicitly add a mask for the token. Runner will pattern match against the GitHub token formats it recognizes, but sometimes a new pattern roles out that the runner isn’t updated for yet.

—@joshmgross

See https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret. Add to end of /main/lib/main.js

Relates to #54

Current behavior

From #54:

Currently, actions/create-github-app-token always/unconditionally revokes the installation access token in a post step, at the completion of the current job. This prevents tokens from being used in other jobs.

Use case

My team runs workflows that retrieve tokens for multiple hosts and multiple orgs.

As detailed in https://github.com/github/accessibility/discussions/4438 (only accessible to Hubbers), we use environment secrets to keep secrets (e.g. app id, installation id, and private key) organized.

Since individual steps cannot access an arbitrary environment’s secrets (i.e. there is no jobs.<job_id>.steps[*].environment), we use multiple jobs, one job per environment.

After we obtain a token using a given environment’s secrets, it’s encrypted and then made available to a subsequent job. However, if the token is revoked at the completion of the job that retrieves it, then the next job can’t use it.

Proposed behavior

actions/create-github-app-token should support opting-out of revocation. This could be accomplished by introducing a new input, e.g. revoke: ("true"|"false"), as in #54.

In my workflow, I use aws-actions/configure-aws-credentials for OIDC authentication via GitHub.

This is a sample workflow:

name: Build

on:
  push:
    branches: [main]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Generate a token
        id: generate_token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ vars.AWS_GITHUB_ROLE_ARN }}
          aws-region: us-east-1

It fails because configure-aws-credentials action needs to get a JWT from Github using @actions/core, which in turn requires the environment variables below to be set:

• ACTIONS_ID_TOKEN_REQUEST_TOKEN
• ACTIONS_ID_TOKEN_REQUEST_URL

It seems these are only set when adding permissions with id-token: write to my workflow, but since I'm using my custom GitHub App token, I was expecting not to be required to add a permissions to my workflow since I want to leverage my GitHub App permissions, and permissions as far as I know is used to configure permissions to the GITHUB_TOKEN auto-generated by workflows (not to my custom app token).

Is it possible for the create-github-app-token to set the ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL so it can be used seamlessly with the actions/toolkit from GitHub (not only by AWS, but any action that relies on it for OIDC authentication)?

Thanks!!!

I have the following step in my workflow

   - name: Generate a token
        id: generate-token
        uses: actions/create-github-app-token@v1
        with:
          github-api-url: "https://custom.gitenterprise.com/api/v3"
          app-id: ${{ vars.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}

The action fails but the step result is not failure

Error from the step
repositories not set, creating token for all repositories for given owner ""
Failed to create token for "" (attempt 1): 'Expiration time' claim ('exp') is too far in the future - https://docs.github.com/[email protected]/rest

The issue seems to be random as relaunching the job with debug enabled now it show the step as failed

##[debug]Evaluating condition for step: 'Generate a token'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Generate a token
##[debug]Register post job cleanup for action: actions/create-github-app-token@v1
##[debug]Loading inputs
##[debug]Evaluating: vars.APP_ID
##[debug]Evaluating Index:
##[debug]..Evaluating vars:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'APP_ID'
##[debug]=> '35'
##[debug]Result: '35'
##[debug]Evaluating: secrets.APP_PRIVATE_KEY
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'APP_PRIVATE_KEY'
##[debug]=> '***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]***
##[debug]'
RequestError [HttpError]: 'Expiration time' claim ('exp') is too far in the future - https://docs.github.com/[email protected]/rest
    at /scratch/ghe-runners/1/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:30470:21
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async hook (/scratch/ghe-runners/1/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:12119:22)
    at async getTokenFromOwner (/scratch/ghe-runners/1/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:29956:20)
    at async RetryOperation._fn (/scratch/ghe-runners/1/_work/_actions/actions/create-github-app-token/v1/dist/main.cjs:29856:24) {
  status: 401,
  request: {
    method: 'GET',
    url: 'https://custom.gitenterprise.com/api/v3/orgs/XAE/installation',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'actions/create-github-app-token',
      authorization: 'bearer [REDACTED]'
    },
    request: { hook: [Function: bound hook] AsyncFunction }
  },
  response: {
    url: 'https://custom.gitenterprise.com/api/v3/orgs/XAE/installation',
    status: 401,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      'content-length': '143',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Thu, 28 Mar 2024 14:36:18 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'GitHub.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-enterprise-version': '3.8.12',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': '3f6bbd2b-182c-4923-8446-19f93fff227f',
      'x-runtime-rack': '0.018151',
      'x-xss-protection': '0'
    },
    data: {
      message: "'Expiration time' claim ('exp') is too far in the future",
      documentation_url: 'https://docs.github.com/[email protected]/rest'
    }
  },
  attemptNumber: 4,
  retriesLeft: 0
}
Error: 'Expiration time' claim ('exp') is too far in the future - https://docs.github.com/[email protected]/rest
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Generate a token

wrong repo 😓

Hi,

I'm trying to restore nuget packages from a private repo in the same company.

I created the Github app with these permissions to allow reading on Packages

in my API solution, I configured the yml worklow using you action to generate a token:

    - uses: actions/create-github-app-token@v1
      id: app-token
      with: 
        app-id: ${{ vars.APP_ID }}
        private-key: ${{ secrets.PRIVATE_KEY }}
        # optional: owner not needed IF the app has access to the repo running the workflow
        #   if you get 'RequestError [HttpError]: Not Found 404', pass in owner
        #repositories: ${{ github.event.repository.name }}

then I update the current nuget source:

     # Set SK nuget source Credentials #NUGET_AUTH_TOKEN: ${{ secrets.AZURE_DEVOPS_PAT }}
    - name: Restore .NET project Dependencies
      run: dotnet nuget update source SKDotNetPackages --source "https://nuget.pkg.github.com/SK/index.json" --username "SK-API" --password ${{ steps.app-token.outputs.token }} --store-password-in-clear-text 

note that SK-API is the name of the current API Repo

And restore the packages in my API Solution

      # Restore .NET project Dependencies
    - name: Restore .NET project Dependencies
      run: find . -name '*.csproj' -exec dotnet restore {} \;

Which generates the error:

warning Undefined: Your request could not be authenticated by the GitHub Packages service. Please ensure your access token is valid and has the appropriate scopes configured.

Do you know what I missed in the configuration?

This issue comes from this issue #42 (comment)

As a rule of thumb, in all code that works with the network, the network will always one day fail.
For that reason, it will be great to implement a retry logic inside of the action so that the requests made to the GitHub API have a retry logic.

Also, we can expose the retry parameters to the user.

  attempt_limit:
    description: Number of attempts
    required: false
    default: 2
  attempt_delay:
    description: A delay between attempts in ms
    required: false
    default: 0

I am trying to checkout repo i github enterprise with this workflow, but i am getting the error as
Retrieving the default branch name Not Found
while i looked some other third party workflows, it worked.
eg: https://github.com/peter-murray/workflow-application-token-action

could you please help us here
Regards,
Atib

Hello,

The action returns additional outputs thanks to #105, but it would be great to return also the GitHub App user id, which we can fetch using the GH CLI for instance with gh api "/users/<app-slug>[bot]" --jq .id.
The rationale is that to get the commit authenticated properly, we have to use the user id and not the installation id (as also mentioned in this discussion. This was discussed in the mentioned PR, but somehow only the installation id was added to the outputs.

This is currently how I implemented it:

      - name: Generate GitHub App Token
        id: generate-token
        uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
        with:
          app-id: ${{ secrets.SEMANTIC_RELEASE_APP_ID }}
          private-key: ${{ secrets.SEMANTIC_RELEASE_PRIVATE_KEY }}
      - name: GitHub Release
        env:
          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
          GIT_AUTHOR_NAME: ${{ steps.generate-token.outputs.app-slug }}[bot]
          GIT_AUTHOR_EMAIL: ${{ steps.generate-token.outputs.installation-id }}+${{ steps.generate-token.outputs.app-slug }}[bot]@users.noreply.github.com
          GIT_COMMITTER_NAME: ${{ steps.generate-token.outputs.app-slug }}[bot]
          GIT_COMMITTER_EMAIL: ${{ steps.generate-token.outputs.installation-id }}+${{ steps.generate-token.outputs.app-slug }}[bot]@users.noreply.github.com
        run: npx semantic-release

Which leads to commits not properly associated with the GitHub App. So we would need to use the user-id instead of the installation-id in the email

Looks like Undici added native proxy support, so we may be able to remove the custom proxy support we added in #102.

Originally posted by @parkerbxyz in #132 (comment)

Build: https://github.com/actions/create-github-app-token/actions/runs/6841698226/job/18603233519

✘  An error occurred while running semantic-release: Error: Command failed with exit code 1: git push --tags https://x-access-token:[secure]@github.com/actions/create-github-app-token HEAD:main
remote: error: GH013: Repository rule violations found for refs/heads/main.        
remote: Review all repository rules at http://github.com/actions/create-github-app-token/rules?ref=refs%2Fheads%2Fmain        
remote: 
remote: - Changes must be made through a pull request.        
remote: 
remote: - 2 of 2 required status checks are expected.        
remote: 

However, the app that we authenticate with for the semantic-release setup is configured to bypass the rule:

So I'm not sure what's up, I'm pretty sure this worked before 🤷

This action could handle a little more flexibility in the repositories input. A common mistake is to provide repositories: foo, bar instead of repositories: foo,bar if a token is needed for > 1 repository.

For example:

    - name: Generate Github Actions App token
      id: generate-token
      uses: actions/create-github-app-token@v1
      with:
        app-id: ${{ env.GH_APP_APP_ID }}
        private-key: ${{ env.GH_APP_PRIVATE_KEY }}
        repositories: foo, bar

Fails to get a token because the body in the HTTP request to GH will look like this:

body: '{"repositories":["foo"," bar"]}',

I think trimming the repos, something like repos = repos.map(r => r.trim()), would catch this and make for a more intuitive API

The automated release workflow is currently failing:
https://github.com/actions/create-github-app-token/actions/runs/5943089105/job/16117440283

I have been trying to enable a Github Workflow that should be able to create a new repo at orgA, using a template repo from orgB, I don't believe there is a chance to support this since the GitHub Apps tokens are scoped to an individual account or a specific org afaik, but it could be pretty useful to have a way to support this using GitHub Apps.

These are the steps, I'm trying to use:

      - name: Generate a token
        id: generate-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.ZCLOUD_BOT_APP_ID }}
          private-key: ${{ secrets.ZCLOUD_BOT_APP_PRIVATE_KEY }}
          owner: ${{ github.event.inputs.repo-org }}

      - name: Create the new repo
        id: create-repo
        env:
          GITHUB_TOKEN: ${{ steps.generate-token-template.outputs.token }}
        run: |
          gh repo create ${{ github.event.inputs.repo-org }}/${{ github.event.inputs.repo-name }} \
            --internal \
            --template ${{ github.repository }}

This is similar to Issue 45, but I can't use the matrix approach since permission to both orgs is required between the same command exec.

Thank you for making a great Action! We've been relying on third-party actions or raw github-script for a long time, so it's great to see the official solution finally!

One request I'd like to make is to support retrieving organization-scoped installation token. One of the example use-cases is to automate the GitHub Project (V2), as illustrated in the GitHub's official documentation (which currently uses tibdex/github-app-token):

https://docs.github.com/en/issues/planning-and-tracking-with-projects/automating-your-project/automating-projects-using-actions

GitHub Project (V2) is a resource tied to organizations, so repository-scope access should be essentially unnecessary for the App.

Follow up to #39 (comment).

In preparation for #3 and #4 it might make sense to learn from similar actions.

• tibdex/github-app-token
• peter-murray/workflow-application-token-action
• getsentry/action-github-app-token
• microsoftgraph/get-app-token
• wow-actions/use-app-token
• navikt/github-app-token-generator
• mercari/github-app-token-generator
• jnwng/github-app-installation-token-action
• And many more...

follow up to #40 (comment)

Hi, I get this error when running the action:

Run actions/create-github-app-token@v1
  with:
    app-id: ***
    private-key: ***
    github-api-url: https://api.github.com/
owner and repositories not set, creating token for the current repository ("fusion-imu")
Failed to create token for "fusion-imu" (attempt 1): A JSON web token could not be decoded - https://docs.github.com/rest
Failed to create token for "fusion-imu" (attempt 2): A JSON web token could not be decoded - https://docs.github.com/rest
Failed to create token for "fusion-imu" (attempt 3): A JSON web token could not be decoded - https://docs.github.com/rest
Failed to create token for "fusion-imu" (attempt 4): A JSON web token could not be decoded - https://docs.github.com/rest
RequestError [HttpError]: A JSON web token could not be decoded - https://docs.github.com/rest
    at /home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:37050:21
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async hook4 (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39454:18)
    at async getTokenFromRepository (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39768:20)
    at async RetryOperation._fn (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:39645:24) {
  status: 401,
  request: {
    method: 'GET',
    url: 'https://api.github.com/repos/avsaase/fusion-imu/installation',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'actions/create-github-app-token',
      authorization: 'bearer [REDACTED]'
    },
    request: { hook: [Function: bound hook4] AsyncFunction }
Error: A JSON web token could not be decoded - https://docs.github.com/rest
  },
  response: {
    url: 'https://api.github.com/repos/avsaase/fusion-imu/installation',
    status: 401,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      'content-length': '117',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Wed, 03 Jul 2024 22:33:58 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'github.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': 'E906:311D5D:2A7971:4ADA68:6685D1D2',
      'x-xss-protection': '0'
    },
    data: {
      message: 'A JSON web token could not be decoded',
      documentation_url: 'https://docs.github.com/rest',
      status: '401'
    }
  },
  attemptNumber: 4,
  retriesLeft: 0
}

In my workflow file I have

- name: Generate GitHub token
  uses: actions/create-github-app-token@v1
  id: generate-token
  with:
    app-id: ${{ secrets.APP_ID }}
    private-key: ${{ secrets.APP_PRIVATE_KEY }}

(full workflow file)

The corresponding app id and private key are set as secrets in my repository. The private key is copy-pasted directly from the .pem file that downloads when creating a private key.

The app is installed

Did I do something wrong or is this a bug? Thanks.

we considered using pull_request_target in order to give access to repository secrets, but decided against it. See #17 (comment) for more context.

We want to continue running the end-to-end tests as we have them anyway, but we want to add integration tests with mocked requests which won't require credentials and can also be run locally with npm test

We use Node's built-in fetch. Here are some relevant guides for testing/mocking

• https://undici.nodejs.org/#/docs/best-practices/writing-tests
• https://undici.nodejs.org/#/docs/best-practices/mocking-request

GitHub now recommends using the clientId instead of the appId/privateKey

Augment the options to allow clientId/clientSecret, validating that either this pair or appId/privateKey are provided, and pass these options along in the call to createAppAuth.

It would be great to have an explicit possibility to revoke GH_TOKEN in a separate step/job.

Example workflow:

---
on:
  push:
    branches:
      - main

jobs:
  get_token:
    name: GitHub Token
    runs-on: ubuntu-latest
    outputs:
      github_token: ${{ steps.get_workflow_token.outputs.token }}
      # NEW as an example:
      github_token_id: ${{ steps.get_workflow_token.outputs.token_id }}
    steps:
      - name: Get Token
        id: get_workflow_token
        uses: actions/[email protected]
        with:
          application_id: ${{ vars.TEST_APP_ID }}
          application_private_key: ${{ secrets.TEST_APP_PRIV_KEY }}
          revoke_token: false

  terraform:
    name: Terraform
    needs: get_token
    runs-on: ubuntu-latest
    env:
      GITHUB_TOKEN: ${{ needs.get_token.outputs.github_token }}

    steps:
      - name: Checkout the repository to the runner
        uses: actions/checkout@v4

      (...)

      - name: Terraform plan
        id: plan
        run: terraform plan -no-color -input=false


  # NEW as an example:
  revoke_token:
    name: Revoke GitHub Token
    needs: 
      - get_token
      - terraform
    runs-on: ubuntu-latest
    steps:
      - name: Revoke Token
        id: revoke_workflow_token
        uses: actions/[email protected]
        with:
          github_token_to_revoke: ${{ needs.get_token.outputs.github_token_id }}
          revoke_token: true

I'm running a workflow (target-workflow.yml) in another repository (target-repo) of my organization using https://github.com/aurelien-baudet/workflow-dispatch (v2).
To that end I'm generating an app token with actions/create-github-app-token@v1.
I can generate the token with no issues, and aurelien-baudet/workflow-dispatch@v2 manages to trigger target-workflow.yml all right as well.
However, after some time, fetching the status of target-workflow starts to fail with Warning: Failed to get workflow status: Bad credentials. This causes my parent job to fail.
That seems to start happening after exactly 1h.

Am I correct that the token expires after 1h? Is it documented somewhere?
Also, is there a way to extend the lifetime of this token? Otherwise, do you suggest a workaround?

My workflow:

name: Run target-workflow.yml in other target-repo

permissions:
  id-token: write
  contents: read

jobs:
  run-target-workflow:
    name: Run target-workflow
    runs-on: ubuntu-latest
    steps:
      - uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ...  # My app id
          private-key: ...  # My private key
          repositories: "target-repo"

      - name: Run workflow in target-repo
        uses: aurelien-baudet/workflow-dispatch@v2
        with:
          ref: main
          repo: target-repo
          workflow: target-workflow.yml
          wait-for-completion: true
          wait-for-completion-timeout: 2h
          token: ${{ steps.app-token.outputs.token }}
          inputs: ...  # The relevant inputs to target-workflow

The output of aurelien-baudet/workflow-dispatch@v2 step:

Run aurelien-baudet/workflow-dispatch@v2
Workflow triggered 🚀
You can follow the running workflow here: https://github.com/...
Warning: The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
Waiting for workflow completion
Warning: Failed to get workflow status: Bad credentials
Warning: Failed to get workflow status: Bad credentials
Warning: Failed to get workflow status: Bad credentials
... 

According to the discussion here: https://github.com/orgs/community/discussions/24664, sometimes, we want to know the GitHub App's user name and user id (for the corresponding email address), it would be great if we can have those in the outputs.

follow up to: 2d5eced

Our idea is to add separate permission_* parameters for each permission supported by GitHub Apps:
https://docs.github.com/en/rest/overview/permissions-required-for-github-apps

The permission_* keys can be generated based off https://github.com/octokit/app-permissions. Each time a new version of @octokit/app-permissions is released, the action.yml could be updated, in order to keep permissions always up-to-date. The README.md should be updated as well to make sure the documentation is up-to-date as well. Most permissions can be set to read or write, some can also be set to admin.

Having separate permissions has the benefit of code intelligence and errors shown directly on GitHub when an unknown permission is set due to a typo.

I have an app installation set up on an organisation, having followed the docs on this repo. It appears the lookup is being done against the /users/... endpoint which doesn't seem correct for an organisation?

Run actions/create-github-app-token@v1
  with:
    app-id: ***
    private-key: ***
    owner: pre-quantum-research
repositories not set, creating token for all repositories for given owner "pre-quantum-research"
RequestError [HttpError]: Not Found
    at /home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:2890:25
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async main (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:10071:22) {
  status: 404,
  response: {
    url: 'https://api.github.com/users/pre-quantum-research/installation',
    status: 404,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      'content-encoding': 'gzip',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Mon, 06 Nov 2023 16:52:05 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'GitHub.com',
      'strict-transport-security': 'max-age=3[15](https://github.com/pre-quantum-research/pqc-data/actions/runs/6773907521/job/18409828846#step:2:16)36000; includeSubdomains; preload',
      'transfer-encoding': 'chunked',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-28',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': '4820:56A0:49A3574:96BB6B3:6549[19](https://github.com/pre-quantum-research/pqc-data/actions/runs/6773907521/job/18409828846#step:2:21)B5',
      'x-xss-protection': '0'
    },
    data: {
      message: 'Not Found',
      documentation_url: 'https://docs.github.com/rest/apps/apps#get-a-user-installation-for-the-authenticated-app'
    }
  },
  request: {
    method: 'GET',
    url: 'https://api.github.com/users/pre-quantum-research/installation',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'actions/create-github-app-token',
      authorization: 'bearer [REDACTED]'
    }
  }
}

It currently says 1.0.5

but latest version is 1.1.4 at this point.

This example does not look complete.

Originally posted by @parkerbxyz in #88 (comment)

From @gr2m in #54 (comment):

I think we should use dashes for our arguments, it seems to be the convention for actions/* actions, e.g. see https://github.com/actions/checkout/

Notably, changing the input names affects the translated environment variable names¹:

• An input named my_var is translated to INPUTS_MY_VAR.
• An input named my-var is translated to INPUTS_MY-VAR.

So, we may want a plan for backwards-compatibility, or we may want to ship this in a major version bump.

I have tried to use this action with a newly created internal github-app and get this error.

I guess it means my secret is wrong?
Could I have formatted it incorrectly?
Is it likely to be similar to this stackoverflow question? (PEM format, extra whitespace etc)
https://stackoverflow.com/questions/75635389/secretorprivatekey-must-be-an-asymmetric-key-when-using-rs256

• I've tried using the app's Client Secret key that I generated (42 char hex string)
• I've tried an app private key: SHA256:<base64 string XYZ0123/=>
• Tried private key without SHA256: prefix

at module2.exports [as sign] (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:10369:26)
Error: secretOrPrivateKey must be an asymmetric key when using RS256
at getToken (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:10500:27)
at githubAppJwt (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:10516:27)
at getAppAuthentication (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:11822:90)
at hook (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:12115:41)
at newApi (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:30550:36)
at getTokenFromOwner (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:29956:26)
at /home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:29937:71
at RetryOperation._fn (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:29856:30)
at Timeout. (/home/runner/work/_actions/actions/create-github-app-token/v1/dist/main.cjs:12311:14)

Follow up to #71.

We introduced a simple request retry logic via #79. There are a few ways we could improve the implementation

• do not retry for all response status, compare https://github.com/octokit/plugin-retry.js/blob/266bfeeb75760dd6c59317c28aba9c9b7ace8a81/src/index.ts#L14
• handle rate limit responses retry-after and x-ratelimit-reset headers, compare https://github.com/octokit/plugin-throttling.js
• Implementing custom retry logic without a 3rd party dependency to reduce the bundle size

This is a follow up to #4 (comment)

@kmaehashi had posted the following request here

Under the GitHub Enterprise Cloud setup, we are often required to access repositories under multiple organizations. It would be great if you consider covering the checkout use case like these:

# Checkout orgA/repoA and orgB/repoB

- uses: actions/create-github-app-token@v1
  id: app-token
  with:
    app_id: ${{ vars.APP_ID }}
    private_key: ${{ secrets.PRIVATE_KEY }}
    repositories: orgA/repoA, orgB/repoB

- uses: actions/checkout@v4
  with:
    repository: 'orgA/repoA'
    token: ${{ steps.app-token.outputs.token }}

- uses: actions/checkout@v4
  with:
    repository: 'orgB/repoB'
    token: ${{ steps.app-token.outputs.token }}

# Checkout the current repository which has orgA/repoA and orgB/repoB as submodule

- uses: actions/create-github-app-token@v1
  id: app-token
  with:
    app_id: ${{ vars.APP_ID }}
    private_key: ${{ secrets.PRIVATE_KEY }}
    repositories: ${{ github.repository }}, orgA/repoA, orgB/repoB

- uses: actions/checkout@v4
  with:
    submodules: true
    token: ${{ steps.app-token.outputs.token }}

Unfortunately, an installation access token can by design only access a single account (GitHub user or organization account). There cannot be a single token that has access across multiple organizations.

But I've run into this requirement before and I see a possible workaround that would require an additional action and the user of matrix.

1. Say there was an action like actions/get-app-installation-ids, it would take app_id and private_key as arguments, and optionally a list of logins to filter down the installations. The action would have installation_ids and installation_logins outputs.
2. That output could be used to dynamically set strategy.matrix in a second job, so all steps would be run for each of the installation IDs
3. In the second job, actions/create-github-app-token could be used to create an installation access token for that particular installation

I'm however not sure how we could filter down to specific repositories across multiple organizations. I'd need to experiment myself to see what's possible. Maybe the actions/get-app-installation-ids could take an argument like you suggest (say repositories: orgA/repoA, orgA/repoB, orgB/repoC) and then have a nested output like this: [["orgA", "repoA, repoB"],["orgB", "repoC"]] which we could could iterate through using the matrix and then split out the items like ["orgA", "repoA, repoB"] into owner: orgA, repositories: repoA, Repo B

Sorry if this is already covered.

How long is a token created by create-github-app-token expected to last? It appears that it only lasts 1 hour so our longer Conan builds start failing to fetch repositories after 1 hour.

Is this customizable?

This action has multiple tagged versions, but dist/ has never been updated, so all of the versions are identical.

The action template repos have a workflow to detect this situation: https://github.com/actions/javascript-action/blob/main/.github/workflows/check-dist.yml

Node 16 is deprecated and is generating a warning.

I'm seeing the following warning in the post job cleanup step:

Post job cleanup.
Warning: Token revocation failed: Bad credentials - https://docs.github.com/rest

Probably because the token was already invalidated, because the job took more than 1h to run (see #121).

No issue here other than there shouldn't be any warning in this case.

Hi folks, I wanted to reach out to you on this action, seems like this is duplicating the effort of @peter-murray's excellent Action for just the same thing. I'd either expect a move of Peter's repo or a fork, instead of a rewrite. Peter's action has been the go-to for several years now, and already has features like:

• only request a token for specific scopes
• request a token for a different organization
• token in another instance (GHES to GHEC for example, and any combination of the two)

Last time I checked Peter still works at GitHub, so communication should flow for this :-D.

Hi, it seems that this action does not respect the env proxy settings and you cannot set https_proxy for this workflow.
Its prevents running on selfhosted runners
Warning: Unexpected input(s) 'https_proxy', valid inputs are ['app-id', 'app_id', 'private-key', 'private_key', 'owner', 'repositories', 'skip-token-revoke', 'skip_token_revoke', 'github-api-url']

I'm looking to migrate to this action from peter-murray/workflow-application-token-action (currently waiting on #111 for feature parity) and I found the documentation for the owner input confusing:

To me, the documentation implies that this should be the owner of the GitHub app itself, whereas if you trace through the code it's actually the owner for which the GitHub app is installed (i.e. the place you want to give the app access to).

I'm not sure if it would be worth making a dedicated request to https://api.github.com/rate_limit in this action to fetch this info, but I am assuming the API calls for token issuance/revocation return the usual rate limit headers? If so it would be nice to log these so that users can see the value of x-ratelimit-remaining for the authenticated app.

Would be nice if there was someway of logging the x-github-request-id header.

It would be helpful to have this in cases where the attempt to get a token from app/installations/<installation_id>/access_tokens fails with a "Network Error" where it fails to reach api.github.com for some reason versus any case when GitHub.com is responding with an error.

Hello team,
I'm using create-github-app-token action to generate token and i'm able to generate token successfully. But i want to store generated token from create-github-app-token action in AWS system manager( Parameter store ) and from parameter store i want to access GitHub REST API.

When i perform the step that i mentioned above i can see this output

{
    "message": "Bad credentials",
    "documentation_url": "https://docs.github.com/rest"
}

It seems stored token in AWS SSM is not correct.
When i use GitHub REST API in GitHub actions and use the generated token from create-github-app-token action, it works.
Can you help me in this why i'm not to able to use the stored token in GitHub REST APIs in different client's like Postman

There is no guidance on the minimum required permissions when creating the new GitHub App in step 1 of using this Action. Could that be clarified somewhere?

When the steps after creating the app token take more than one hour, revoking the token in the post step of the job fails with 401 Bad credentials

2023-11-03T08:17:49.8021984Z ##[group]Run actions/create-github-app-token@v1
2023-11-03T08:17:49.8022321Z with:
2023-11-03T08:17:49.8022568Z   app-id: ***
2023-11-03T08:17:49.8029074Z   private-key: ***
**2023-11-03T08:17:49**.8029317Z   owner: 

**Other jobs running for around 3 hrs**
Error in post job cleanup 

**2023-11-03T11:28:30**.0046013Z Post job cleanup.
2023-11-03T11:28:30.0195545Z Post job cleanup.
2023-11-03T11:28:30.3211228Z RequestError [HttpError]: Bad credentials
2023-11-03T11:28:30.3233502Z ##[error]Bad credentials
2023-11-03T11:28:30.3234665Z     at C:\actions-runner\_work\_actions\actions\create-github-app-token\v1\dist\post.cjs:2890:25
2023-11-03T11:28:30.3235686Z     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
2023-11-03T11:28:30.3237018Z     at async post (C:\actions-runner\_work\_actions\actions\create-github-app-token\v1\dist\post.cjs:2996:3) {
2023-11-03T11:28:30.3237833Z   status: 401,
2023-11-03T11:28:30.3238145Z   response: {
2023-11-03T11:28:30.3238651Z     url: 'https://api.github.com/installation/token',
2023-11-03T11:28:30.3239157Z     status: 401,
2023-11-03T11:28:30.3239481Z     headers: {
2023-11-03T11:28:30.3239914Z       'access-control-allow-origin': '*',
2023-11-03T11:28:30.3242327Z       'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
2023-11-03T11:28:30.3244679Z       'content-length': '80',
2023-11-03T11:28:30.3245298Z       'content-security-policy': "default-src 'none'",
2023-11-03T11:28:30.3245984Z       'content-type': 'application/json; charset=utf-8',
2023-11-03T11:28:30.3246616Z       date: 'Fri, 03 Nov 2023 11:28:30 GMT',
2023-11-03T11:28:30.3247427Z       'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
2023-11-03T11:28:30.3248174Z       server: 'GitHub.com',
2023-11-03T11:28:30.3248880Z       'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
2023-11-03T11:28:30.3249999Z       vary: 'Accept-Encoding, Accept, X-Requested-With',
2023-11-03T11:28:30.3250499Z       'x-content-type-options': 'nosniff',
2023-11-03T11:28:30.3250879Z       'x-frame-options': 'deny',
2023-11-03T11:28:30.3251281Z       'x-github-media-type': 'github.v3; format=json',
2023-11-03T11:28:30.3251806Z       'x-github-request-id': 'XXXXXXXXXXXXXXXXXXXXXXX
2023-11-03T11:28:30.3252248Z       'x-ratelimit-limit': '60',
2023-11-03T11:28:30.3252595Z       'x-ratelimit-remaining': '60',
2023-11-03T11:28:30.3253035Z       'x-ratelimit-reset': '1699014510',
2023-11-03T11:28:30.3253398Z       'x-ratelimit-resource': 'core',
2023-11-03T11:28:30.3253751Z       'x-ratelimit-used': '0',
2023-11-03T11:28:30.3254131Z       'x-xss-protection': '0'
2023-11-03T11:28:30.3254397Z     },
2023-11-03T11:28:30.3254601Z     data: {
2023-11-03T11:28:30.3259781Z       message: 'Bad credentials',
2023-11-03T11:28:30.3260135Z       documentation_url: 'https://docs.github.com/rest'
2023-11-03T11:28:30.3260442Z     }
2023-11-03T11:28:30.3260614Z   },
2023-11-03T11:28:30.3260784Z   request: {
2023-11-03T11:28:30.3261004Z     method: 'DELETE',
2023-11-03T11:28:30.3261311Z     url: 'https://api.github.com/installation/token',
2023-11-03T11:28:30.3261614Z     headers: {
2023-11-03T11:28:30.3261884Z       accept: 'application/vnd.github.v3+json',
2023-11-03T11:28:30.3262256Z       'user-agent': 'actions/create-github-app-token',
2023-11-03T11:28:30.3262703Z       authorization: 'token [REDACTED]'
2023-11-03T11:28:30.3262956Z     }
2023-11-03T11:28:30.3263119Z   }
2023-11-03T11:28:30.3263277Z }

My company is going to be installing this action once per organization in order to get submodules to work. I would really like to be able to point them to https://github.com/actions/create-github-app-token for the documentation, but step 1 is not very clear and I am worried that people will get confused about what permissions to request.

I am wondering, can you expand upon step 1 which says:

Register new GitHub App

Option 1 would be to list which settings we are supposed to check and uncheck, as well as which permissions we should be requesting.
Option 2 would be to follow the example of GitHub ARC in https://github.com/actions/actions-runner-controller/blob/master/docs/authenticating-to-the-github-api.md which actually provides two useful links that prepopulate various settings:

• Create GitHub Apps on your account: https://github.com/settings/apps/new?url=http://github.com/actions/actions-runner-controller&webhook_active=false&public=false&administration=write&actions=read
• Create GitHub Apps on your organization: https://github.com/organizations/:org/settings/apps/new?url=http://github.com/actions/actions-runner-controller&webhook_active=false&public=false&administration=write&organization_self_hosted_runners=write&actions=read&checks=read

Using GitHub ARC, it was really cool to be able to click one link and have it prepopulate the settings that it thinks I'll need.

The use cases we want to cover is

1. By default, create a token scoped to the current repository
2. Allow to scope to a set of repositories by names for the current owner
3. Allow to scope to a different owner (all installation repositories)
4. Allow to scope to a set of repositories by names for a different owner

Our API idea is

      - uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app_id: ${{ vars.APP_ID }}
          private_key: ${{ secrets.PRIVATE_KEY }}
          owner: some-owner
          repositories: some-repo1,some-repo2

Both owner and repositories would be optional, and one can be set to the other. owner defaults to the current repository owner, and repositories defaults to the current repository name.

Hi All,

I am setting up a github bot for use with github actions, but it cannot access the repos API endpoint.

Here are the permissions that the bot is set to (way too permissive, I know, but I am just testing).

Here is my test action workflow

name: "test_gh_api"

on:
  workflow_dispatch:
  push:

permissions:
  id-token: write
  contents: write
  pull-requests: write
  packages: write
  actions: write
  checks: write


jobs:

  call_api:
    name: "Call GH API"
    runs-on: ubuntu-latest

    steps:
      - name: Generate GedBot token
        id: generate_token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.GEDBOT_APP_ID }}
          private-key: ${{ secrets.GEDBOT_PRIVATE_KEY }}

      - name: Checkout the code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ steps.generate_token.outputs.token }}

      - name: Test GH API
        env:
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
        run: |
          echo "Running curl"
          curl --request GET \
            --header "Accept: application/vnd.github+json" \
            --header "Authorization: Bearer GITHUB_TOKEN" \
            --header "X-GitHub-Api-Version: 2022-11-28" \
            --url "https://api.github.com/repos/geddesfamily/estate-config"
          echo "Running GH CLI"
          gh api repos/geddesfamily/estate-config
          gh api repos/geddesfamily/estate-config/branches

I can confirm that geddesfamily/estate-config does exist.

This returns

Run echo "Running curl"
Running curl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
{
100    90  100    90    0     0   1437      0 --:--:-- --:--:-- --:--:--  1451
  "message": "Bad credentials",
  "documentation_url": "https://docs.github.com/rest"
}
Running GH CLI
gh: Not Found (HTTP 404)
{"message":"Not Found","documentation_url":"https://docs.github.com/rest/repos/repos#get-a-repository"}
Error: Process completed with exit code 1.

I feel like this covers all bases to mitigate the risk of the problem being cause by my idiocy, however it is always a possibility!

Is this a bug in the token gen step?