feat: Add a 'revoke' input for configuring token revocation

Author: smockle

README.md

@@ -145,6 +145,10 @@ jobs:
 > [!NOTE]
 > If `owner` is set and `repositories` is empty, access will be scoped to all repositories in the provided repository owner's installation. If `owner` and `repositories` are empty, access will be scoped to only the current repository.
 
+### `revoke`
+
+**Optional:** Whether to revoke the token when the current job is complete. Default: `"true"`.
+
 ## Outputs
 
 ### `token`
@@ -158,7 +162,7 @@ The action creates an installation access token using [the `POST /app/installati
 1. The token is scoped to the current repository or `repositories` if set.
 2. The token inherits all the installation's permissions.
 3. The token is set as output `token` which can be used in subsequent steps.
-4. The token is revoked in the `post` step of the action, which means it cannot be passed to another job.
+4. Unless `revoke: "false"` is set, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
 5. The token is masked, it cannot be logged accidentally.
 
 > [!NOTE]

action.yml

@@ -17,6 +17,10 @@ inputs:
   repositories:
     description: "Repositories to install the GitHub App on (defaults to current repository if owner is unset)"
     required: false
+  revoke:
+    description: "Whether to revoke the token when the current job is complete"
+    required: false
+    default: "true"
 outputs:
   token:
     description: "GitHub installation access token"

lib/main.js

@@ -8,6 +8,7 @@
  * @param {import("@actions/core")} core
  * @param {import("@octokit/auth-app").createAppAuth} createAppAuth
  * @param {import("@octokit/request").request} request
+ * @param {boolean} revoke
  */
 export async function main(
   appId,
@@ -16,7 +17,8 @@ export async function main(
   repositories,
   core,
   createAppAuth,
-  request
+  request,
+  revoke
 ) {
   let parsedOwner = "";
   let parsedRepositoryNames = "";
@@ -122,5 +124,7 @@ export async function main(
   core.setOutput("token", authentication.token);
 
   // Make token accessible to post function (so we can invalidate it)
-  core.saveState("token", authentication.token);
+  if (revoke) {
+    core.saveState("token", authentication.token);
+  }
 }

lib/post.js

@@ -5,6 +5,13 @@
  * @param {import("@octokit/request").request} request
  */
 export async function post(core, request) {
+  const revoke = core.getInput("revoke") === "true";
+
+  if (!revoke) {
+    core.info("Token revocation was skipped");
+    return;
+  }
+
   const token = core.getState("token");
 
   if (!token) {

main.js

@@ -19,6 +19,8 @@ const privateKey = core.getInput("private_key");
 const owner = core.getInput("owner");
 const repositories = core.getInput("repositories");
 
+const revoke = core.getInput("revoke") === "true";
+
 main(
   appId,
   privateKey,
@@ -28,7 +30,8 @@ main(
   createAppAuth,
   request.defaults({
     baseUrl: process.env["GITHUB_API_URL"],
-  })
+  }),
+  revoke
 ).catch((error) => {
   console.error(error);
   core.setFailed(error.message);

tests/README.md

@@ -6,7 +6,7 @@ Add one test file per scenario. You can run them in isolation with:
 node tests/post-token-set.test.js
 ```
 
-All tests are run together in [tests/index.js](index.js), which can be execauted with ava
+All tests are run together in [tests/index.js](index.js), which can be executed with ava
 
 ```
 npx ava tests/index.js

tests/post-token-set.test.js

@@ -4,6 +4,10 @@ import { MockAgent, setGlobalDispatcher } from "undici";
 // https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
 process.env.STATE_token = "secret123";
 
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env.INPUT_REVOKE = "true";
+
 const mockAgent = new MockAgent();
 
 setGlobalDispatcher(mockAgent);

tests/post-token-skipped.test.js

@@ -0,0 +1,29 @@
+import { MockAgent, setGlobalDispatcher } from "undici";
+
+// state variables are set as environment variables with the prefix STATE_
+// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
+process.env.STATE_token = "secret123";
+
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env.INPUT_REVOKE = "false";
+
+const mockAgent = new MockAgent();
+
+setGlobalDispatcher(mockAgent);
+
+// Provide the base url to the request
+const mockPool = mockAgent.get("https://api.github.com");
+
+// intercept the request
+mockPool
+  .intercept({
+    path: "/installation/token",
+    method: "DELETE",
+    headers: {
+      authorization: "token secret123",
+    },
+  })
+  .reply(204);
+
+await import("../post.js");

tests/post-token-unset.test.js

@@ -2,4 +2,8 @@
 // https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
 delete process.env.STATE_token;
 
+// inputs are set as environment variables with the prefix INPUT_
+// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
+process.env.INPUT_REVOKE = "true";
+
 await import("../post.js");

tests/snapshots/index.js.md

@@ -14,6 +14,16 @@ Generated by [AVA](https://avajs.dev).
 
     'Token revoked'
 
+## post-token-skipped.test.js
+
+> stderr
+
+    ''
+
+> stdout
+
+    'Token revocation was skipped'
+
 ## post-token-unset.test.js
 
 > stderr