Defer revocation to separate job.
aamkye opened this issue · comments
It would be great to have an explicit possibility to revoke GH_TOKEN in a separate step/job.
Example workflow:
---
on:
push:
branches:
- main
jobs:
get_token:
name: GitHub Token
runs-on: ubuntu-latest
outputs:
github_token: ${{ steps.get_workflow_token.outputs.token }}
# NEW as an example:
github_token_id: ${{ steps.get_workflow_token.outputs.token_id }}
steps:
- name: Get Token
id: get_workflow_token
uses: actions/create-github-app-token@v1.9.0
with:
application_id: ${{ vars.TEST_APP_ID }}
application_private_key: ${{ secrets.TEST_APP_PRIV_KEY }}
revoke_token: false
terraform:
name: Terraform
needs: get_token
runs-on: ubuntu-latest
env:
GITHUB_TOKEN: ${{ needs.get_token.outputs.github_token }}
steps:
- name: Checkout the repository to the runner
uses: actions/checkout@v4
(...)
- name: Terraform plan
id: plan
run: terraform plan -no-color -input=false
# NEW as an example:
revoke_token:
name: Revoke GitHub Token
needs:
- get_token
- terraform
runs-on: ubuntu-latest
steps:
- name: Revoke Token
id: revoke_workflow_token
uses: actions/create-github-app-token@v1.9.0
with:
github_token_to_revoke: ${{ needs.get_token.outputs.github_token_id }}
revoke_token: true
In order to revoke a token, you need to authenticate the request with the same token, see
create-github-app-token/lib/post.js
Lines 31 to 35 in f2acddf
There is also no token ID, the token is revoked with the route DELETE /installation/token
.
You can skip token revocation if you want to use manual logic instead:
https://github.com/actions/create-github-app-token?tab=readme-ov-file#skip-token-revoke
I'll close this issue as there is nothing actionable for us, but feel free to comment if you have more questions