search

actions / create-github-app-token

GitHub Action for creating a GitHub App Installation Access Token
https://github.com/marketplace/actions/create-github-app-token
MIT License
344 stars 47 forks source link

Support opting-out of token revocation #55

Closed smockle closed 11 months ago

smockle commented 11 months ago

Relates to https://github.com/actions/create-github-app-token/pull/54

Current behavior

From https://github.com/actions/create-github-app-token/pull/54:

Currently, actions/create-github-app-token always/unconditionally revokes the installation access token in a post step, at the completion of the current job. This prevents tokens from being used in other jobs.

Use case

My team runs workflows that retrieve tokens for multiple hosts and multiple orgs.

As detailed in https://github.com/github/accessibility/discussions/4438 (only accessible to Hubbers), we use environment secrets to keep secrets (e.g. app id, installation id, and private key) organized.

Since individual steps cannot access an arbitrary environment’s secrets (i.e. there is no jobs.<job_id>.steps[*].environment), we use multiple jobs, one job per environment.

After we obtain a token using a given environment’s secrets, it’s encrypted and then made available to a subsequent job. However, if the token is revoked at the completion of the job that retrieves it, then the next job can’t use it.

Proposed behavior

actions/create-github-app-token should support opting-out of revocation. This could be accomplished by introducing a new input, e.g. revoke: ("true"|"false"), as in https://github.com/actions/create-github-app-token/pull/54.

gr2m commented 11 months ago

Thanks for sharing the use case, makes totally sense!