Description
Relates to #54
Current behavior
From #54:
Currently,
actions/create-github-app-tokenalways/unconditionally revokes the installation access token in a post step, at the completion of the current job. This prevents tokens from being used in other jobs.
Use case
My team runs workflows that retrieve tokens for multiple hosts and multiple orgs.
As detailed in https://github.com/github/accessibility/discussions/4438 (only accessible to Hubbers), we use environment secrets to keep secrets (e.g. app id, installation id, and private key) organized.
Since individual steps cannot access an arbitrary environment’s secrets (i.e. there is no jobs.<job_id>.steps[*].environment), we use multiple jobs, one job per environment.
After we obtain a token using a given environment’s secrets, it’s encrypted and then made available to a subsequent job. However, if the token is revoked at the completion of the job that retrieves it, then the next job can’t use it.
Proposed behavior
actions/create-github-app-token should support opting-out of revocation. This could be accomplished by introducing a new input, e.g. revoke: ("true"|"false"), as in #54.