fix(github-actions): rework token revoke mechanism to not rely on `po…

…st` run Currently Github actions acquire tokens from the secrets for an app installation. The actions can operate on repositories using this token. Later, as a Github action (separate step) we attempt to revoke the token. This does not work at all, and never did, because the previously used installation Github token is not known in the post step, so the post step always failed. We rework this to always revoke the token as part of the Node process where we acquired the installation token.
angular · Jun 28, 2022 · 2025d98 · 2025d98
1 parent c713d4a
commit 2025d98
Show file tree

Hide file tree

Showing 34 changed files with 207 additions and 77,951 deletions.
diff --git a/github-actions/commit-message-based-labels/BUILD.bazel b/github-actions/commit-message-based-labels/BUILD.bazel
@@ -1,14 +1,5 @@
 load("//tools:defaults.bzl", "esbuild_checked_in")
 
-esbuild_checked_in(
-    name = "post",
-    entry_point = "//github-actions/commit-message-based-labels/lib:post.ts",
-    target = "node16",
-    deps = [
-        "//github-actions/commit-message-based-labels/lib",
-    ],
-)
-
 esbuild_checked_in(
     name = "main",
     entry_point = "//github-actions/commit-message-based-labels/lib:main.ts",

diff --git a/github-actions/commit-message-based-labels/action.yml b/github-actions/commit-message-based-labels/action.yml
@@ -8,4 +8,3 @@ inputs:
 runs:
   using: 'node16'
   main: 'main.js'
-  post: 'post.js'
diff --git a/github-actions/commit-message-based-labels/lib/BUILD.bazel b/github-actions/commit-message-based-labels/lib/BUILD.bazel
@@ -4,7 +4,6 @@ package(default_visibility = ["//github-actions/commit-message-based-labels:__su
 
 exports_files([
     "main.ts",
-    "post.ts",
 ])
 
 ts_library(

diff --git a/github-actions/commit-message-based-labels/lib/main.ts b/github-actions/commit-message-based-labels/lib/main.ts
@@ -3,17 +3,30 @@ import {context} from '@actions/github';
 import {Octokit} from '@octokit/rest';
 import {parseCommitMessage} from '../../../ng-dev/commit-message/parse.js';
 import {breakingChangeLabel, deprecationLabel} from '../../../ng-dev/pr/config/index.js';
-import {ANGULAR_ROBOT, getAuthTokenFor} from '../../utils.js';
+import {ANGULAR_ROBOT, getAuthTokenFor, revokeActiveInstallationToken} from '../../utils.js';
 
 /** List of supported label and commit message attribute combinations. */
 const supportedLabels = [
   [breakingChangeLabel, 'breakingChanges'],
   [deprecationLabel, 'deprecations'],
 ] as const;
 
-async function run(): Promise<void> {
-  const token = await getAuthTokenFor(ANGULAR_ROBOT);
-  const client = new Octokit({auth: token});
+async function main() {
+  let installationClient: Octokit | null = null;
+
+  try {
+    const token = await getAuthTokenFor(ANGULAR_ROBOT);
+    installationClient = new Octokit({auth: token});
+
+    await runCommitMessageBasedLabelsAction(installationClient);
+  } finally {
+    if (installationClient !== null) {
+      await revokeActiveInstallationToken(installationClient);
+    }
+  }
+}
+
+async function runCommitMessageBasedLabelsAction(client: Octokit): Promise<void> {
   const {number, owner, repo} = context.issue;
   /** Labels currently applied to the PR. */
   const labels = await (
@@ -57,7 +70,10 @@ async function run(): Promise<void> {
 // Only run if the action is executed in a repository within the Angular org. This is in place
 // to prevent the action from actually running in a fork of a repository with this action set up.
 if (context.repo.owner === 'angular') {
-  run();
+  main().catch((e: Error) => {
+    core.error(e);
+    core.setFailed(e.message);
+  });
 } else {
   core.warning(
     'Automatic labeling was skipped as this action is only meant to run ' +

diff --git a/github-actions/commit-message-based-labels/lib/post.ts b/github-actions/commit-message-based-labels/lib/post.ts