Defer revocation to separate job.

It would be great to have an explicit possibility to revoke GH_TOKEN in a separate step/job.

Example workflow:

---
on:
  push:
    branches:
      - main

jobs:
  get_token:
    name: GitHub Token
    runs-on: ubuntu-latest
    outputs:
      github_token: ${{ steps.get_workflow_token.outputs.token }}
      # NEW as an example:
      github_token_id: ${{ steps.get_workflow_token.outputs.token_id }}
    steps:
      - name: Get Token
        id: get_workflow_token
        uses: actions/create-github-app-token@v1.9.0
        with:
          application_id: ${{ vars.TEST_APP_ID }}
          application_private_key: ${{ secrets.TEST_APP_PRIV_KEY }}
          revoke_token: false

  terraform:
    name: Terraform
    needs: get_token
    runs-on: ubuntu-latest
    env:
      GITHUB_TOKEN: ${{ needs.get_token.outputs.github_token }}

    steps:
      - name: Checkout the repository to the runner
        uses: actions/checkout@v4

      (...)

      - name: Terraform plan
        id: plan
        run: terraform plan -no-color -input=false

  # NEW as an example:
  revoke_token:
    name: Revoke GitHub Token
    needs: 
      - get_token
      - terraform
    runs-on: ubuntu-latest
    steps:
      - name: Revoke Token
        id: revoke_workflow_token
        uses: actions/create-github-app-token@v1.9.0
        with:
          github_token_to_revoke: ${{ needs.get_token.outputs.github_token_id }}
          revoke_token: true

actions / create-github-app-token

Defer revocation to separate job. #117