Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Defer revocation to separate job. #117

Closed
aamkye opened this issue Mar 22, 2024 · 1 comment
Closed

Defer revocation to separate job. #117

aamkye opened this issue Mar 22, 2024 · 1 comment

Comments

@aamkye
Copy link

aamkye commented Mar 22, 2024

It would be great to have an explicit possibility to revoke GH_TOKEN in a separate step/job.

Example workflow:

---
on:
  push:
    branches:
      - main

jobs:
  get_token:
    name: GitHub Token
    runs-on: ubuntu-latest
    outputs:
      github_token: ${{ steps.get_workflow_token.outputs.token }}
      # NEW as an example:
      github_token_id: ${{ steps.get_workflow_token.outputs.token_id }}
    steps:
      - name: Get Token
        id: get_workflow_token
        uses: actions/create-github-app-token@v1.9.0
        with:
          application_id: ${{ vars.TEST_APP_ID }}
          application_private_key: ${{ secrets.TEST_APP_PRIV_KEY }}
          revoke_token: false

  terraform:
    name: Terraform
    needs: get_token
    runs-on: ubuntu-latest
    env:
      GITHUB_TOKEN: ${{ needs.get_token.outputs.github_token }}

    steps:
      - name: Checkout the repository to the runner
        uses: actions/checkout@v4

      (...)

      - name: Terraform plan
        id: plan
        run: terraform plan -no-color -input=false


  # NEW as an example:
  revoke_token:
    name: Revoke GitHub Token
    needs: 
      - get_token
      - terraform
    runs-on: ubuntu-latest
    steps:
      - name: Revoke Token
        id: revoke_workflow_token
        uses: actions/create-github-app-token@v1.9.0
        with:
          github_token_to_revoke: ${{ needs.get_token.outputs.github_token_id }}
          revoke_token: true
@gr2m
Copy link
Contributor

gr2m commented Mar 22, 2024

In order to revoke a token, you need to authenticate the request with the same token, see

create-github-app-token/lib/post.js

Lines 31 to 35 in f2acddf

await request("DELETE /installation/token", {
headers: {
authorization: `token ${token}`,
},
});

There is also no token ID, the token is revoked with the route DELETE /installation/token.

You can skip token revocation if you want to use manual logic instead:
https://github.com/actions/create-github-app-token?tab=readme-ov-file#skip-token-revoke

I'll close this issue as there is nothing actionable for us, but feel free to comment if you have more questions

@gr2m gr2m closed this as completed Mar 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gr2m @aamkye