sammcj
diff --git a/‎.github/workflows/test-release.yml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/test-release.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 20 additions & 8 deletions b/‎README.md‎
Lines changed: 20 additions & 8 deletions
diff --git a/‎action.yml‎
Lines changed: 19 additions & 3 deletions b/‎action.yml‎
Lines changed: 19 additions & 3 deletions
diff --git a/‎dist/index.js‎
Lines changed: 3 additions & 3 deletions b/‎dist/index.js‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎index.js‎
Lines changed: 121 additions & 32 deletions b/‎index.js‎
Lines changed: 121 additions & 32 deletions
@@ -219,6 +219,8 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           release_branches: main
           pre_release_branches: dev
+          fetch_all_tags: true
+          default_bump: minor
       - name: Create a GitHub release
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1
         if: github.ref == 'refs/heads/main'
 
@@ -76,7 +76,7 @@ jobs:
           permissions: "actions:write,issues:read"
 
       - name: Use Application Token to checkout a repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         env:
           GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
         with:
@@ -99,7 +99,7 @@ jobs:
           organization: CattleDip
 
       - name: Use Application Token to checkout a repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         env:
           GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
         with:
@@ -116,14 +116,26 @@ inputs:
   application_id:
     description: GitHub Application ID value.
     required: true
+  application_installation_id:
+    description: GitHub Install Application ID value.
+    required: false
   permissions:
     description: "The permissions to request e.g. issues:read,secrets:write,packages:read. Defaults to all available permissions"
     required: false
-  organization:
-    description: The GitHub Organization to get the application installation for, if not specified will use the current repository instead
+  org:
+    description: The GitHub Organisation to get the application installation for, if not specified will use the current repository instead. This is not normally needed as the workflow will be running in the context of a repository / org.
+    required: false
+  owner:
+    description: The GitHub Owner to get the application installation for, if not specified will use the current repository instead. This is not normally needed as the workflow will be running in the context of a repository / org.
+    required: false
+  repo:
+    description: The GitHub Repository to get the application installation for, if not specified will use the current repository instead (owner must also be specified). This is not normally needed as the workflow will be running in the context of a repository / org.
     required: false
   github_api_base_url:
-    description: The GitHub API base URL to use, no needed it working within the same GitHub instance as the workflow as it will get picked up from the environment
+    description: The GitHub API base URL to use, no needed it working within the same GitHub instance as the workflow as it will get picked up from the environment. This not usually needed and is mainly for testing purposes.
+    required: false
+  token_lifetime:
+    description: The lifetime of the token in seconds, defaults to 600 seconds (10 minutes).
     required: false
 ```
 
@@ -133,12 +145,12 @@ inputs:
 outputs:
   token:
     description: A valid token representing the Application that can be used to access what the Application has been scoped to access.
+  expires_at:
+    description: The date and time when the token will expire (UTC).
   permissions_requested:
-    description: The permissions that were requested for the token, if not specified will be your default permissions.
+    description: The permissions that were requested for the token.
   permissions_granted:
     description: The permissions that were granted for the token.
-  expires_at:
-    description: The date and time that the token will expire in UTC.
 ```
 
 ## Requirements
 
@@ -20,12 +20,28 @@ inputs:
     description: "The permissions to request e.g. issues:read,secrets:write,packages:read. Defaults to all available permissions"
     required: false
 
-  organization:
-    description: The GitHub Organization to get the application installation for, if not specified will use the current repository instead
+  org:
+    description: The GitHub Organisation to get the application installation for, if not specified will use the current repository instead. This is not normally needed as the workflow will be running in the context of a repository / org.
+    required: false
+
+  owner:
+    description: The GitHub Owner to get the application installation for, if not specified will use the current repository instead. This is not normally needed as the workflow will be running in the context of a repository / org.
+    required: false
+
+  repo:
+    description: The GitHub Repository to get the application installation for, if not specified will use the current repository instead (owner must also be specified). This is not normally needed as the workflow will be running in the context of a repository / org.
     required: false
 
   github_api_base_url:
-    description: The GitHub API base URL to use, no needed it working within the same GitHub instance as the workflow as it will get picked up from the environment
+    description: The GitHub API base URL to use, no needed it working within the same GitHub instance as the workflow as it will get picked up from the environment. This not usually needed and is mainly for testing purposes.
+    required: false
+
+  token_lifetime:
+    description: The lifetime of the token in seconds, defaults to 600 (10 minutes).
+    required: false
+
+  debug:
+    description: Enable debug logging.
     required: false
 
 outputs:
 
@@ -1,63 +1,133 @@
 import process from 'process';
+import { Buffer } from 'buffer';
 import { getOctokit } from '@actions/github';
 import jwt from 'jsonwebtoken';
 import * as core from '@actions/core';
 import { getInstallationId } from './lib/github-application.js';
 
+/**
+ * Test if the data is a valid RSA private key, decode it if it's base64 encoded and return the key
+ * @param {string} data RSA private key in PEM format or base64 encoded
+ * @returns {string} RSA private key (decoded if data is base64 encoded)
+ * @throws {Error} If the data is not a valid RSA private key
+ * @example const privateKey = decodePrivateKey('LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ==');
+ */
+export function decodePrivateKey(data) {
+  /**
+   * @param {string} data
+   **/
+  if (!data) {
+    const message = 'Invalid RSA private key';
+    core.error(message);
+    throw new Error(message);
+  }
+
+  const privateKey = data.replace(/\\n/g, '\n').trim();
+  const decoded = Buffer.from(privateKey, 'base64').toString('ascii');
+  try {
+    jwt.decode(decoded, { complete: true });
+    return decoded;
+  } catch (error) {
+    return privateKey;
+  }
+}
+
+/**
+ * Convert the raw permissions string to an object
+ * @param {string} permissionsRaw The raw permissions string
+ * @returns {object} The permissions object
+ * @example const permissions = permissionsRawToObj('contents:read,actions:read');
+ */
+function permissionsRawToObj(permissionsRaw) {
+  return permissionsRaw.split(',').reduce((acc, permission) => {
+    const [key, value] = permission.split(':');
+    acc[key] = value;
+    return acc;
+  }, {});
+}
+
+/**
+ * Get the input from the workflow file
+ * @returns {object} The input from the workflow file or the environment variables as a fallback
+ * @throws {Error} If the required inputs are missing
+ */
 export function getInput() {
   if (process.env.GITHUB_ACTIONS) {
     const privateKey = core.getInput('application_private_key', { required: true });
     const appId = core.getInput('application_id', { required: true });
     const permissionsRaw = core.getInput('permissions');
+    const org = core.getInput('org', { required: false });
+    const owner = core.getInput('owner', { required: false });
+    const repo = core.getInput('repo', { required: false });
+    const baseApiUrl = core.getInput('base_api_url', { required: false });
+    const debug = core.getInput('debug', { required: false });
     // convert the string (e.g. "contents:read,actions:read" to an object, e.g. { contents: 'read', actions: 'read' })
-    const permissionsInput = permissionsRaw
-      ? permissionsRaw.split(',').reduce((acc, permission) => {
-          const [key, value] = permission.split(':');
-          acc[key] = value;
-          return acc;
-        }, {})
-      : {};
+    const permissionsInput = permissionsRaw ? permissionsRawToObj(permissionsRaw) : undefined;
+    const tokenLifetime = core.getInput('token_lifetime', { required: false }) ?? 600;
 
-    return { privateKey, appId, permissionsInput };
+    return {
+      privateKey,
+      appId,
+      permissionsInput,
+      org,
+      owner,
+      repo,
+      baseApiUrl,
+      debug,
+      tokenLifetime,
+    };
   } else {
     if (!process.env.GITHUB_APPLICATION_PRIVATE_KEY || !process.env.GITHUB_APPLICATION_ID) {
+      core.error('Required inputs are missing: privateKey or appId is undefined');
       throw new Error('Required inputs are missing');
     }
     const privateKey = process.env.GITHUB_APPLICATION_PRIVATE_KEY.replace(/\\n/g, '\n');
     const appId = process.env.GITHUB_APPLICATION_ID;
-    const permissionsRaw = process.env.GITHUB_PERMISSIONS ?? '{}';
-    const permissionsInput = permissionsRaw
-      ? permissionsRaw.split(',').reduce((acc, permission) => {
-          const [key, value] = permission.split(':');
-          acc[key] = value;
-          return acc;
-        }, {})
-      : {};
-    return { privateKey, appId, permissionsInput };
+    const org = process.env.GITHUB_APPLICATION_ORG ?? undefined;
+    const owner = process.env.GITHUB_APPLICATION_OWNER ?? undefined;
+    const repo = process.env.GITHUB_APPLICATION_REPO ?? undefined;
+    const baseApiUrl = process.env.GITHUB_APPLICATION_BASE_API_URL ?? undefined;
+    const debug = process.env.DEBUG ?? false;
+    const permissionsRaw = process.env.GITHUB_APPLICATION_PERMISSIONS ?? undefined;
+    const permissionsInput = permissionsRaw ? permissionsRawToObj(permissionsRaw) : undefined;
+    const tokenLifetime = process.env.GITHUB_APPLICATION_TOKEN_LIFETIME ?? 600;
+
+    return {
+      privateKey,
+      appId,
+      permissionsInput,
+      org,
+      owner,
+      repo,
+      baseApiUrl,
+      debug,
+      tokenLifetime,
+    };
   }
 }
 
+/**
+ * Main function
+ */
 export async function run() {
+  if (process.env.DEBUG) {
+    core.setCommandEcho(true);
+  }
+
   try {
-    // get the variables from the if/else block
     const { privateKey, appId, permissionsInput } = getInput();
-
-    if (!privateKey || !appId) {
-      throw new Error('Required inputs are missing: privateKey or appId is undefined');
-    }
-
     const permissions = permissionsInput;
-
-    // Ensure getInstallationId is correctly awaited and check its result before proceeding
     const installationId = await getInstallationId(privateKey, appId);
-    if (!installationId) {
-      throw new Error('Failed to retrieve installation ID');
-    }
-    // console.debug('Retrieved Installation ID:', installationId);
-
     const jwtToken = generateJwtToken(privateKey, appId);
     const octokit = getOctokit(jwtToken);
 
+    if (!privateKey || !appId) {
+      const message = 'Required inputs are missing: privateKey or appId is undefined';
+      core.error(message);
+      throw new Error(message);
+    }
+
+    // create an installation access token
     const {
       data: { token },
     } = await octokit.rest.apps.createInstallationAccessToken({
@@ -72,22 +142,41 @@ export async function run() {
 
     const permissionsGranted = installation.data.permissions;
 
+    // set the Github Actions outputs
+    core.startGroup('GitHub App Installation');
     core.setSecret(token);
+    core.setSecret(jwtToken);
+    core.setSecret(`${installationId}`);
     core.setOutput('token', token);
     core.setOutput('expires_at', new Date().toISOString());
     core.setOutput('permissions_requested', JSON.stringify(permissions));
     core.setOutput('permissions_granted', JSON.stringify(permissionsGranted));
+    core.endGroup();
   } catch (error) {
-    console.error('Error:', error.message);
+    const message = 'Error getting installation access token';
+    core.error(message, error.message);
+    console.error(message, error.message);
     core.setFailed(error.message);
   }
 }
 
+/**
+ * @param {jwt.Secret} privateKey
+ * @param {any} appId
+ */
 export function generateJwtToken(privateKey, appId) {
   const iat = Math.floor(Date.now() / 1000);
   const exp = iat + 10 * 60; // JWT expiration time set to 10 minutes
   const payload = { iat, exp, iss: appId };
-  return jwt.sign(payload, privateKey, { algorithm: 'RS256' });
+  try {
+    return jwt.sign(payload, privateKey, { algorithm: 'RS256' });
+  } catch (error) {
+    const message = 'Error generating JWT token';
+    core.error(message, error.message);
+    console.error(message, error.message);
+    throw new Error(message);
+  }
 }
 
+// The run function is the entry point for the GitHub Action
 run();