-
Notifications
You must be signed in to change notification settings - Fork 61
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(revocation): avoid revoking expired tokens and fail gracefully (#95)
Fixes #72 If an Actions job is long enough, more than an hour can pass between creating and revoking the App token in the post-job clean up step. Since the token itself is used to authenticate with the revoke API, an expired token will fail to be revoked. This PR saves the token expiration in the actions state and uses that in the post step to determine if the token can be revoked. I've also added error handling to the revoke token API call, as it's unlikely that users would want their job to fail if the token can't be revoked.
- Loading branch information
1 parent
f04aa94
commit 0c01407
Showing
10 changed files
with
155 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
import { MockAgent, setGlobalDispatcher } from "undici"; | ||
|
||
// state variables are set as environment variables with the prefix STATE_ | ||
// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions | ||
process.env.STATE_token = "secret123"; | ||
|
||
// 1 hour in the future, not expired | ||
process.env.STATE_expiresAt = new Date(Date.now() + 1000 * 60 * 60).toISOString(); | ||
|
||
const mockAgent = new MockAgent(); | ||
|
||
setGlobalDispatcher(mockAgent); | ||
|
||
// Provide the base url to the request | ||
const mockPool = mockAgent.get("https://api.github.com"); | ||
|
||
// intercept the request | ||
mockPool | ||
.intercept({ | ||
path: "/installation/token", | ||
method: "DELETE", | ||
headers: { | ||
authorization: "token secret123", | ||
}, | ||
}) | ||
.reply(401); | ||
|
||
await import("../post.js"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
import { MockAgent, setGlobalDispatcher } from "undici"; | ||
|
||
// state variables are set as environment variables with the prefix STATE_ | ||
// https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#sending-values-to-the-pre-and-post-actions | ||
process.env.STATE_token = "secret123"; | ||
|
||
// 1 hour in the past, expired | ||
process.env.STATE_expiresAt = new Date(Date.now() - 1000 * 60 * 60).toISOString(); | ||
|
||
const mockAgent = new MockAgent(); | ||
|
||
setGlobalDispatcher(mockAgent); | ||
|
||
// Provide the base url to the request | ||
const mockPool = mockAgent.get("https://api.github.com"); | ||
|
||
// intercept the request | ||
mockPool | ||
.intercept({ | ||
path: "/installation/token", | ||
method: "DELETE", | ||
headers: { | ||
authorization: "token secret123", | ||
}, | ||
}) | ||
.reply(204); | ||
|
||
await import("../post.js"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
:perfecto: Was just coming to see if this was in there and of course it was.