feat: support tokens scoped to multiple repositories within organization

README.md

@@ -10,7 +10,7 @@ In order to use this action, you need to:
 2. [Store the App's ID in your repository environment variables](https://docs.github.com/actions/learn-github-actions/variables#defining-configuration-variables-for-multiple-workflows) (example: `APP_ID`)
 3. [Store the App's private key in your repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets?tool=webui#creating-encrypted-secrets-for-a-repository) (example: `PRIVATE_KEY`)
 
-### Minimal usage
+### Create token for current repository
 
 ```yaml
 on: [issues]
@@ -57,6 +57,73 @@ jobs:
           github_token: ${{ steps.app-token.outputs.token }}
 ```
 
+### Create token for all repositories in current owner's installation
+
+```yaml
+on: [workflow_dispatch]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+      - uses: peter-evans/create-or-update-comment@v3
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          issue-number: ${{ github.event.issue.number }}
+          body: "Hello, World!"
+```
+
+### Create a token for selected repositories in current owner's installation
+
+```yaml
+on: [issues]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "repo1,repo2"
+      - uses: peter-evans/create-or-update-comment@v3
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          issue-number: ${{ github.event.issue.number }}
+          body: "Hello, World!"
+```
+
+### Create token for all repositories in another owner's installation
+
+```yaml
+on: [issues]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+          owner: another-owner
+      - uses: peter-evans/create-or-update-comment@v3
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          issue-number: ${{ github.event.issue.number }}
+          body: "Hello, World!"
+```
+
 ## Inputs
 
 ### `app_id`
@@ -67,6 +134,14 @@ jobs:
 
 **Required:** GitHub App private key.
 
+### `owner`
+
+**Optional:** GitHub App installation owner. If empty, defaults to the current repository owner.
+
+### `repositories`
+
+**Optional:** Comma-separated list of repositories to grant access to. If 'owner' is set and 'repositories' is empty then the access will be scoped to all repositories in the provided repository owner's installation. If 'owner' and 'repositories' are empty then the access will be scoped to only the current repository.
+
 ## Outputs
 
 ### `token`
@@ -77,7 +152,7 @@ GitHub App installation access token.
 
 The action creates an installation access token using [the `POST /app/installations/{installation_id}/access_tokens` endpoint](https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#create-an-installation-access-token-for-an-app). By default,
 
-1. The token is scoped to the current repository.
+1. The token is scoped to the current repository or the repositories given.
 2. The token inherits all the installation's permissions.
 3. The token is set as output `token` which can be used in subsequent steps.
 4. The token is revoked in the `post` step of the action, which means it cannot be passed to another job.

action.yml

@@ -11,6 +11,12 @@ inputs:
   private_key:
     description: "GitHub App private key"
     required: true
+  owner:
+    description: "GitHub App owner (defaults to current repository owner)"
+    required: false
+  repositories:
+    description: "Repositories to install the GitHub App on (defaults to current repository)"
+    required: false
 outputs:
   token:
     description: "GitHub installation access token"

dist/main.cjs

@@ -1602,7 +1602,7 @@ var require_oidc_utils = __commonJS({
 
         Error Code : ${error.statusCode}
 
-        Error Message: ${error.message}`);
+        Error Message: ${error.result.message}`);
           });
           const id_token = (_a = res.result) === null || _a === void 0 ? void 0 : _a.value;
           if (!id_token) {
@@ -2793,7 +2793,7 @@ var require_dist_node5 = __commonJS({
     module2.exports = __toCommonJS2(dist_src_exports);
     var import_endpoint = require_dist_node2();
     var import_universal_user_agent = require_dist_node();
-    var VERSION = "8.1.2";
+    var VERSION = "8.1.1";
     var import_is_plain_object = require_is_plain_object();
     var import_request_error = require_dist_node4();
     function getBufferResponse(response) {
@@ -14795,7 +14795,7 @@ var require_dist_node12 = __commonJS({
         data: {
           token,
           expires_at: expiresAt,
-          repositories,
+          repositories: repositories2,
           permissions: permissionsOptional,
           repository_selection: repositorySelectionOptional,
           single_file: singleFileName
@@ -14814,8 +14814,8 @@ var require_dist_node12 = __commonJS({
       });
       const permissions = permissionsOptional || {};
       const repositorySelection = repositorySelectionOptional || "all";
-      const repositoryIds = repositories ? repositories.map((r) => r.id) : void 0;
-      const repositoryNames = repositories ? repositories.map((repo) => repo.name) : void 0;
+      const repositoryIds = repositories2 ? repositories2.map((r) => r.id) : void 0;
+      const repositoryNames = repositories2 ? repositories2.map((repo) => repo.name) : void 0;
       const createdAt = (/* @__PURE__ */ new Date()).toISOString();
       await set(state.cache, optionsWithInstallationTokenFromState, {
         token,
@@ -14984,7 +14984,7 @@ var require_dist_node12 = __commonJS({
         return sendRequestWithRetries(state, request2, options, createdAt, retries);
       }
     }
-    var VERSION = "6.0.1";
+    var VERSION = "6.0.0";
     var import_auth_oauth_user2 = require_dist_node9();
     function createAppAuth2(options) {
       if (!options.appId) {
@@ -15043,8 +15043,37 @@ var import_core = __toESM(require_core(), 1);
 var import_auth_app = __toESM(require_dist_node12(), 1);
 
 // lib/main.js
-async function main(appId2, privateKey2, repository2, core2, createAppAuth2, request2) {
-  const [owner, repo] = repository2.split("/");
+async function main(appId2, privateKey2, owner2, repositories2, core2, createAppAuth2, request2) {
+  let parsedOwner = "";
+  let parsedRepositoryNames = "";
+  if (!owner2 && !repositories2) {
+    [parsedOwner, parsedRepositoryNames] = String(
+      process.env.GITHUB_REPOSITORY
+    ).split("/");
+    core2.info(
+      `owner and repositories not set, creating token for the current repository ("${parsedRepositoryNames}")`
+    );
+  }
+  if (owner2 && !repositories2) {
+    parsedOwner = owner2;
+    core2.info(
+      `repositories not set, creating token for all repositories for given owner "${owner2}"`
+    );
+  }
+  if (!owner2 && repositories2) {
+    parsedOwner = String(process.env.GITHUB_REPOSITORY_OWNER);
+    parsedRepositoryNames = repositories2;
+    core2.info(
+      `owner not set, creating owner for given repositories "${repositories2}" in current owner ("${parsedOwner}")`
+    );
+  }
+  if (owner2 && repositories2) {
+    parsedOwner = owner2;
+    parsedRepositoryNames = repositories2;
+    core2.info(
+      `owner and repositories set, creating token for repositories "${repositories2}" owned by "${owner2}"`
+    );
+  }
   const auth = createAppAuth2({
     appId: appId2,
     privateKey: privateKey2,
@@ -15053,23 +15082,43 @@ async function main(appId2, privateKey2, repository2, core2, createAppAuth2, req
   const appAuthentication = await auth({
     type: "app"
   });
-  const { data: installation } = await request2(
-    "GET /repos/{owner}/{repo}/installation",
-    {
-      owner,
-      repo,
+  let authentication;
+  if (parsedRepositoryNames) {
+    const response = await request2("GET /repos/{owner}/{repo}/installation", {
+      owner: parsedOwner,
+      repo: parsedRepositoryNames.split(",")[0],
       headers: {
         authorization: `bearer ${appAuthentication.token}`
       }
-    }
-  );
-  const authentication = await auth({
-    type: "installation",
-    installationId: installation.id,
-    repositoryNames: [repo]
-  });
-  core2.setSecret(authentication.token);
+    });
+    authentication = await auth({
+      type: "installation",
+      installationId: response.data.id,
+      repositoryNames: parsedRepositoryNames.split(",")
+    });
+  } else {
+    const response = await request2("GET /orgs/{org}/installation", {
+      org: parsedOwner,
+      headers: {
+        authorization: `bearer ${appAuthentication.token}`
+      }
+    }).catch((error) => {
+      if (error.status !== 404)
+        throw error;
+      return request2("GET /users/{username}/installation", {
+        username: parsedOwner,
+        headers: {
+          authorization: `bearer ${appAuthentication.token}`
+        }
+      });
+    });
+    authentication = await auth({
+      type: "installation",
+      installationId: response.data.id
+    });
+  }
   core2.setOutput("token", authentication.token);
+  core2.setSecret(authentication.token);
   core2.saveState("token", authentication.token);
 }
 
@@ -15086,13 +15135,18 @@ var request_default = import_request.request.defaults({
 if (!process.env.GITHUB_REPOSITORY) {
   throw new Error("GITHUB_REPOSITORY missing, must be set to '<owner>/<repo>'");
 }
+if (!process.env.GITHUB_REPOSITORY_OWNER) {
+  throw new Error("GITHUB_REPOSITORY_OWNER missing, must be set to '<owner>'");
+}
 var appId = import_core.default.getInput("app_id");
 var privateKey = import_core.default.getInput("private_key");
-var repository = process.env.GITHUB_REPOSITORY;
+var owner = import_core.default.getInput("owner");
+var repositories = import_core.default.getInput("repositories");
 main(
   appId,
   privateKey,
-  repository,
+  owner,
+  repositories,
   import_core.default,
   import_auth_app.createAppAuth,
   request_default.defaults({

dist/post.cjs

@@ -1602,7 +1602,7 @@ var require_oidc_utils = __commonJS({
 
         Error Code : ${error.statusCode}
 
-        Error Message: ${error.message}`);
+        Error Message: ${error.result.message}`);
           });
           const id_token = (_a = res.result) === null || _a === void 0 ? void 0 : _a.value;
           if (!id_token) {
@@ -2793,7 +2793,7 @@ var require_dist_node5 = __commonJS({
     module2.exports = __toCommonJS2(dist_src_exports);
     var import_endpoint = require_dist_node2();
     var import_universal_user_agent = require_dist_node();
-    var VERSION = "8.1.2";
+    var VERSION = "8.1.1";
     var import_is_plain_object = require_is_plain_object();
     var import_request_error = require_dist_node4();
     function getBufferResponse(response) {