Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit c3c17c7

Browse filesBrowse files
Yang-33Yang-33
authored
fix: use core.getBooleanInput() to retrieve boolean input values (#223)
This PR switches from evaluating values passed to `skip-token-revoke` as true if they are truthy in JavaScript, to using `getBooleanInput`. This change ensures that only proper YAML boolean values are recognized, preventing unintended evaluations to true. - The definition of `getBooleanInput` is here: definition of `core#getBooealnInput` is here: https://github.com/actions/toolkit/blob/930c89072712a3aac52d74b23338f00bb0cfcb24/packages/core/src/core.ts#L188-L208 The documentation states, `"If truthy, the token will not be revoked when the current job is complete"`, so this change could be considered a breaking change. This means that if there are users who rely on `truthy` and expect values like whitespace or `"false"` to be evaluated as true (though this is likely rare), it would be a breaking change. - `Boolean(" ")` and `Boolean("false")` are both evaluated as true. Alternatively, it can simply be considered a fix. How to handle this is up to the maintainer. Resolves #216
1 parent 9ba274d commit c3c17c7
Copy full SHA for c3c17c7
Expand file treeCollapse file tree

9 files changed

+17
-5
lines changed

‎README.md

Copy file name to clipboardExpand all lines: README.md
+2-2Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -343,7 +343,7 @@ The reason we define one `permision-<permission name>` input per permission is t
343343

344344
### `skip-token-revoke`
345345

346-
**Optional:** If truthy, the token will not be revoked when the current job is complete.
346+
**Optional:** If true, the token will not be revoked when the current job is complete.
347347

348348
### `github-api-url`
349349

@@ -370,7 +370,7 @@ The action creates an installation access token using [the `POST /app/installati
370370
1. The token is scoped to the current repository or `repositories` if set.
371371
2. The token inherits all the installation's permissions.
372372
3. The token is set as output `token` which can be used in subsequent steps.
373-
4. Unless the `skip-token-revoke` input is set to a truthy value, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
373+
4. Unless the `skip-token-revoke` input is set to true, the token is revoked in the `post` step of the action, which means it cannot be passed to another job.
374374
5. The token is masked, it cannot be logged accidentally.
375375

376376
> [!NOTE]

‎action.yml

Copy file name to clipboardExpand all lines: action.yml
+2-1Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,9 @@ inputs:
1818
description: "Comma or newline-separated list of repositories to install the GitHub App on (defaults to current repository if owner is unset)"
1919
required: false
2020
skip-token-revoke:
21-
description: "If truthy, the token will not be revoked when the current job is complete"
21+
description: "If true, the token will not be revoked when the current job is complete"
2222
required: false
23+
default: "false"
2324
# Make GitHub API configurable to support non-GitHub Cloud use cases
2425
# see https://github.com/actions/create-github-app-token/issues/77
2526
github-api-url:

‎lib/post.js

Copy file name to clipboardExpand all lines: lib/post.js
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
* @param {import("@octokit/request").request} request
66
*/
77
export async function post(core, request) {
8-
const skipTokenRevoke = Boolean(core.getInput("skip-token-revoke"));
8+
const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
99

1010
if (skipTokenRevoke) {
1111
core.info("Token revocation was skipped");

‎main.js

Copy file name to clipboardExpand all lines: main.js
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ const repositories = core
2424
.map((s) => s.trim())
2525
.filter((x) => x !== "");
2626

27-
const skipTokenRevoke = Boolean(core.getInput("skip-token-revoke"));
27+
const skipTokenRevoke = core.getBooleanInput("skip-token-revoke");
2828

2929
const permissions = getPermissionsFromInputs(process.env);
3030

‎tests/main.js

Copy file name to clipboardExpand all lines: tests/main.js
+1Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ export const DEFAULT_ENV = {
88
// inputs are set as environment variables with the prefix INPUT_
99
// https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
1010
"INPUT_GITHUB-API-URL": "https://api.github.com",
11+
"INPUT_SKIP-TOKEN-REVOKE": "false",
1112
"INPUT_APP-ID": "123456",
1213
// This key is invalidated. It’s from https://github.com/octokit/auth-app.js/issues/465#issuecomment-1564998327.
1314
"INPUT_PRIVATE-KEY": `-----BEGIN RSA PRIVATE KEY-----

‎tests/post-revoke-token-fail-response.test.js

Copy file name to clipboardExpand all lines: tests/post-revoke-token-fail-response.test.js
+1Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ process.env.STATE_token = "secret123";
77
// inputs are set as environment variables with the prefix INPUT_
88
// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
99
process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
10+
process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
1011

1112
// 1 hour in the future, not expired
1213
process.env.STATE_expiresAt = new Date(

‎tests/post-token-expired.test.js

Copy file name to clipboardExpand all lines: tests/post-token-expired.test.js
+4Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ process.env.STATE_token = "secret123";
77
// 1 hour in the past, expired
88
process.env.STATE_expiresAt = new Date(Date.now() - 1000 * 60 * 60).toISOString();
99

10+
// inputs are set as environment variables with the prefix INPUT_
11+
// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
12+
process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
13+
1014
const mockAgent = new MockAgent();
1115

1216
setGlobalDispatcher(mockAgent);

‎tests/post-token-set.test.js

Copy file name to clipboardExpand all lines: tests/post-token-set.test.js
+1Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ process.env.STATE_token = "secret123";
77
// inputs are set as environment variables with the prefix INPUT_
88
// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
99
process.env["INPUT_GITHUB-API-URL"] = "https://api.github.com";
10+
process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
1011

1112
// 1 hour in the future, not expired
1213
process.env.STATE_expiresAt = new Date(Date.now() + 1000 * 60 * 60).toISOString();

‎tests/post-token-unset.test.js

Copy file name to clipboardExpand all lines: tests/post-token-unset.test.js
+4Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,8 @@
22
// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions
33
delete process.env.STATE_token;
44

5+
// inputs are set as environment variables with the prefix INPUT_
6+
// https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-specifying-inputs
7+
process.env["INPUT_SKIP-TOKEN-REVOKE"] = "false";
8+
59
await import("../post.js");

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.