Add support for using GitHub app with automatic token refresh

uroshercog · uroshercog · commit 6be56a45c401 · 2025-01-23T09:56:39.000+01:00
diff --git a/action.yaml b/action.yaml
@@ -6,8 +6,14 @@ inputs:
     description: 'Name or ID of workflow to run'
     required: true
   token:
-    description: 'GitHub token with repo write access, can NOT use secrets.GITHUB_TOKEN, see readme'
-    required: true
+    description: 'GitHub token with repo write access, can NOT use secrets.GITHUB_TOKEN, see README.md. If not provided, app_id and app_private_key must be provided. If token is set it takes precedence over app_id and app_private_key.'
+    required: false
+  app_id:
+    description: 'GitHub App ID with access to Actions API.'
+    required: false
+  app_private_key:
+    description: 'GitHub App Private Key of the app with access to Actions API.'
+    required: false
   inputs:
     description: 'Inputs to pass to the workflow, must be a JSON string. All values must be strings (even if used as boolean or number)'
     required: false
diff --git a/dist/index.js b/dist/index.js
diff --git a/package.json b/package.json
@@ -24,5 +24,9 @@
     "@vercel/ncc": "0.38.1",
     "eslint": "8.57.0",
     "typescript": "5.4.5"
+  },
+  "dependencies": {
+    "@octokit/auth-app": "^7.1.4",
+    "@octokit/rest": "^21.1.0"
   }
 }
diff --git a/src/main.ts b/src/main.ts
@@ -6,12 +6,13 @@
 // ----------------------------------------------------------------------------
 
 import * as core from '@actions/core'
+import {createAppAuth} from '@octokit/auth-app'
+import {Octokit} from '@octokit/rest'
 import { formatDuration, getArgs, isTimedOut, sleep } from './utils'
 import { WorkflowHandler, WorkflowRunConclusion, WorkflowRunResult, WorkflowRunStatus } from './workflow-handler'
 import { handleWorkflowLogsPerJob } from './workflow-logs-handler'
 
 
-
 async function getFollowUrl(workflowHandler: WorkflowHandler, interval: number, timeout: number) {
   const start = Date.now()
   let url
@@ -60,22 +61,63 @@ function computeConclusion(start: number, waitForCompletionTimeout: number, resu
   if (conclusion === WorkflowRunConclusion.TIMED_OUT) throw new Error('Workflow run has failed due to timeout')
 }
 
-async function handleLogs(args: any, workflowHandler: WorkflowHandler) {
+async function handleLogs(octokit: Octokit, args: any, workflowHandler: WorkflowHandler) {
   try {
     const workflowRunId = await workflowHandler.getWorkflowRunId()
-    await handleWorkflowLogsPerJob(args, workflowRunId)
+    await handleWorkflowLogsPerJob(octokit, args, workflowRunId)
   } catch(e: any) {
     core.error(`Failed to handle logs of triggered workflow. Cause: ${e}`)
   }
 }
 
+async function setupOctokit(token: string, appId: string, appPrivateKey: string):Promise<Octokit> {
+  if(token) {
+    return new Octokit({
+      auth: token
+    })
+  }
+
+  return setupGitHubAppOctokit(appId, appPrivateKey)
+}
+
+async function setupGitHubAppOctokitClient(appId: string, privateKey: string, installationId?: any):Promise<Octokit> {
+  const auth : any = {
+    appId,
+    privateKey,
+  }
+
+  if(installationId) {
+    auth.installationId = installationId
+  }
+
+  return new Octokit({
+    authStrategy: createAppAuth,
+    auth,
+  })
+}
+
+async function setupGitHubAppOctokit(appId: string, privateKey: string):Promise<Octokit> {
+  const octokit = await setupGitHubAppOctokitClient(appId, privateKey)
+
+  const installations = await octokit.apps.listInstallations()
+  const installationId = installations.data[0].id
+
+  core.info(`Using installationId=${installationId}`)
+
+  // Recreate octokit with installationId which results in
+  // auto refresh of the token.
+  return setupGitHubAppOctokitClient(appId, privateKey, installationId)
+}
+
 //
 // Main task function (async wrapper)
 //
 async function run(): Promise<void> {
   try {
     const args = getArgs()
-    const workflowHandler = new WorkflowHandler(args.token, args.workflowRef, args.owner, args.repo, args.ref, args.runName)
+
+    const octokit = await setupOctokit(args.token, args.appId, args.appPrivateKey)
+    const workflowHandler = new WorkflowHandler(octokit, args.workflowRef, args.owner, args.repo, args.ref, args.runName)
 
     // Trigger workflow run
     await workflowHandler.triggerWorkflow(args.inputs)
@@ -94,7 +136,7 @@ async function run(): Promise<void> {
     core.info('Waiting for workflow completion')
     const { result, start } = await waitForCompletionOrTimeout(workflowHandler, args.checkStatusInterval, args.waitForCompletionTimeout)
 
-    await handleLogs(args, workflowHandler)
+    await handleLogs(octokit, args, workflowHandler)
 
     core.setOutput('workflow-id', result?.id)
     core.setOutput('workflow-url', result?.url)
diff --git a/src/utils.ts b/src/utils.ts
@@ -30,6 +30,13 @@ function parse(inputsJson: string) {
 export function getArgs() {
   // Required inputs
   const token = core.getInput('token')
+  const appId = core.getInput('app_id')
+  const appPrivateKey = core.getInput('app_private_key')
+
+  if (!token && (!appId || !appPrivateKey)) {
+    throw new Error('Either token or app_id and app_private_key must be provided')
+  }
+
   const workflowRef = core.getInput('workflow')
   // Optional inputs, with defaults
   const ref = core.getInput('ref')   || github.context.ref
@@ -54,6 +61,8 @@ export function getArgs() {
 
   return {
     token,
+    appId,
+    appPrivateKey,
     workflowRef,
     ref,
     owner,
diff --git a/src/workflow-handler.ts b/src/workflow-handler.ts
@@ -1,6 +1,5 @@
 
 import * as core from '@actions/core'
-import * as github from '@actions/github'
 import { debug } from './debug'
 
 export enum WorkflowRunStatus {
@@ -44,19 +43,17 @@ export interface WorkflowRunResult {
 
 
 export class WorkflowHandler {
-  private octokit: any
   private workflowId?: number | string
   private workflowRunId?: number
   private triggerDate = 0
 
-  constructor(token: string,
+  constructor(
+    private octokit: any,
     private workflowRef: string,
     private owner: string,
     private repo: string,
     private ref: string,
     private runName: string) {
-    // Get octokit client for making API calls
-    this.octokit = github.getOctokit(token)
   }
 
   async triggerWorkflow(inputs: any) {
@@ -216,5 +213,4 @@ export class WorkflowHandler {
     })))
   }
 
-}
-
+}
diff --git a/src/workflow-logs-handler.ts b/src/workflow-logs-handler.ts
@@ -1,5 +1,5 @@
 import * as core from '@actions/core'
-import * as github from '@actions/github'
+import {Octokit} from '@octokit/rest'
 import { debug } from './debug'
 
 interface JobInfo {
@@ -8,9 +8,8 @@ interface JobInfo {
 }
 
 
-export async function handleWorkflowLogsPerJob(args: any, workflowRunId: number): Promise<void> {
+export async function handleWorkflowLogsPerJob(octokit: Octokit, args: any, workflowRunId: number): Promise<void> {
   const mode = args.workflowLogMode
-  const token = args.token
   const owner = args.owner
   const repo = args.repo
 
@@ -19,7 +18,6 @@ export async function handleWorkflowLogsPerJob(args: any, workflowRunId: number)
     return
   }
 
-  const octokit = github.getOctokit(token)
   const runId = workflowRunId
   const response = await octokit.rest.actions.listJobsForWorkflowRun({
     owner: owner,
diff --git a/yarn.lock b/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -24,5 +24,9 @@`
`24`	`24`	`"@vercel/ncc": "0.38.1",`
`25`	`25`	`"eslint": "8.57.0",`
`26`	`26`	`"typescript": "5.4.5"`
	`27`	`+ },`
	`28`	`+ "dependencies": {`
	`29`	`+ "@octokit/auth-app": "^7.1.4",`
	`30`	`+ "@octokit/rest": "^21.1.0"`
`27`	`31`	`}`
`28`	`32`	`}`