Do not attempt to revoke token if it already expired

[mithunpandey]

When the steps after creating the app token take more than one hour, revoking the token in the post step of the job fails with 401 Bad credentials

logs

``` 2023-11-03T08:17:49.8021984Z ##[group]Run actions/create-github-app-token@v1 2023-11-03T08:17:49.8022321Z with: 2023-11-03T08:17:49.8022568Z app-id: *** 2023-11-03T08:17:49.8029074Z private-key: *** **2023-11-03T08:17:49**.8029317Z owner: **Other jobs running for around 3 hrs** Error in post job cleanup **2023-11-03T11:28:30**.0046013Z Post job cleanup. 2023-11-03T11:28:30.0195545Z Post job cleanup. 2023-11-03T11:28:30.3211228Z RequestError [HttpError]: Bad credentials 2023-11-03T11:28:30.3233502Z ##[error]Bad credentials 2023-11-03T11:28:30.3234665Z at C:\actions-runner\_work\_actions\actions\create-github-app-token\v1\dist\post.cjs:2890:25 2023-11-03T11:28:30.3235686Z at process.processTicksAndRejections (node:internal/process/task_queues:95:5) 2023-11-03T11:28:30.3237018Z at async post (C:\actions-runner\_work\_actions\actions\create-github-app-token\v1\dist\post.cjs:2996:3) { 2023-11-03T11:28:30.3237833Z status: 401, 2023-11-03T11:28:30.3238145Z response: { 2023-11-03T11:28:30.3238651Z url: 'https://api.github.com/installation/token', 2023-11-03T11:28:30.3239157Z status: 401, 2023-11-03T11:28:30.3239481Z headers: { 2023-11-03T11:28:30.3239914Z 'access-control-allow-origin': '*', 2023-11-03T11:28:30.3242327Z 'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset', 2023-11-03T11:28:30.3244679Z 'content-length': '80', 2023-11-03T11:28:30.3245298Z 'content-security-policy': "default-src 'none'", 2023-11-03T11:28:30.3245984Z 'content-type': 'application/json; charset=utf-8', 2023-11-03T11:28:30.3246616Z date: 'Fri, 03 Nov 2023 11:28:30 GMT', 2023-11-03T11:28:30.3247427Z 'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin', 2023-11-03T11:28:30.3248174Z server: 'GitHub.com', 2023-11-03T11:28:30.3248880Z 'strict-transport-security': 'max-age=31536000; includeSubdomains; preload', 2023-11-03T11:28:30.3249999Z vary: 'Accept-Encoding, Accept, X-Requested-With', 2023-11-03T11:28:30.3250499Z 'x-content-type-options': 'nosniff', 2023-11-03T11:28:30.3250879Z 'x-frame-options': 'deny', 2023-11-03T11:28:30.3251281Z 'x-github-media-type': 'github.v3; format=json', 2023-11-03T11:28:30.3251806Z 'x-github-request-id': 'XXXXXXXXXXXXXXXXXXXXXXX 2023-11-03T11:28:30.3252248Z 'x-ratelimit-limit': '60', 2023-11-03T11:28:30.3252595Z 'x-ratelimit-remaining': '60', 2023-11-03T11:28:30.3253035Z 'x-ratelimit-reset': '1699014510', 2023-11-03T11:28:30.3253398Z 'x-ratelimit-resource': 'core', 2023-11-03T11:28:30.3253751Z 'x-ratelimit-used': '0', 2023-11-03T11:28:30.3254131Z 'x-xss-protection': '0' 2023-11-03T11:28:30.3254397Z }, 2023-11-03T11:28:30.3254601Z data: { 2023-11-03T11:28:30.3259781Z message: 'Bad credentials', 2023-11-03T11:28:30.3260135Z documentation_url: 'https://docs.github.com/rest' 2023-11-03T11:28:30.3260442Z } 2023-11-03T11:28:30.3260614Z }, 2023-11-03T11:28:30.3260784Z request: { 2023-11-03T11:28:30.3261004Z method: 'DELETE', 2023-11-03T11:28:30.3261311Z url: 'https://api.github.com/installation/token', 2023-11-03T11:28:30.3261614Z headers: { 2023-11-03T11:28:30.3261884Z accept: 'application/vnd.github.v3+json', 2023-11-03T11:28:30.3262256Z 'user-agent': 'actions/create-github-app-token', 2023-11-03T11:28:30.3262703Z authorization: 'token [REDACTED]' 2023-11-03T11:28:30.3262956Z } 2023-11-03T11:28:30.3263119Z } 2023-11-03T11:28:30.3263277Z } ```

[gr2m]

Other jobs running for around 3 hrs

An installation access token is only valid for 1 hour, there is no way to extend that. Cleaning up the token failed because it expired.

I think what we can do is to pass the time of the creation as state to the post job, that way we can check the time that passed since the creation.

Would you be interested in working on a pull request to implement this change?

[anton-danielsson]

We have the same issue using this action on some jobs that run long.

[mblaschke-daimlertruck]

or just ignore revocation and don't mark the post action as failed in that case

[peter-toft-greve]

Would it be viable to extend the functionality and allow the user to allow a longer expiration time?

[gr2m]

allow the user to allow a longer expiration time

expiration time for installation access token is 1 hour. It's not extendable.

[grossag]

I am also running into this issue for long builds. The biggest problem is that it is failing builds when the revocation fails because the token is expired. I don't mind if it still tries to revoke the token and just fails silently, but failing in this case is really disruptive for our builds. Here is an example failure log: failure-info.txt

[joshmgross]

:wave: I have a fix for this issue in #95. I'm still working on figuring out the testing library and snapshots, I'll work on that tomorrow.

[create-app-token-action-releaser[bot]]

:tada: This issue has been resolved in version 1.6.4 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: