Add support for enterprise level GitHub Apps

.gitignore

@@ -1,3 +1,4 @@
 .env
 coverage
 node_modules/
+.DS_Store

README.md

@@ -195,6 +195,28 @@ jobs:
           body: "Hello, World!"
 ```
 
+### Create a token for an enterprise installation
+
+```yaml
+on: [workflow_dispatch]
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+          enterprise: my-enterprise-slug
+      - name: Call enterprise management REST API with gh
+        run: |
+          gh api /enterprises/my-enterprise-slug/apps/installable_organizations
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+```
+
 ### Create a token with specific permissions
 
 > [!NOTE]
@@ -353,6 +375,13 @@ steps:
 > [!NOTE]
 > If `owner` is set and `repositories` is empty, access will be scoped to all repositories in the provided repository owner's installation. If `owner` and `repositories` are empty, access will be scoped to only the current repository.
 
+### `enterprise`
+
+**Optional:** The slug version of the enterprise name to generate a token for enterprise-level app installations.
+
+> [!NOTE]
+> The `enterprise` input is mutually exclusive with `owner` and `repositories`. GitHub Apps can be installed on enterprise accounts with permissions that let them call enterprise management APIs. Enterprise installations do not grant access to organization or repository resources.
+
 ### `permission-<permission name>`
 
 **Optional:** The permissions to grant to the token. By default, the token inherits all of the installation's permissions. We recommend to explicitly list the permissions that are required for a use case. This follows GitHub's own recommendation to [control permissions of `GITHUB_TOKEN` in workflows](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token). The documentation also lists all available permissions, just prefix the permission key with `permission-` (e.g., `pull-requests` → `permission-pull-requests`).

action.yml

@@ -17,6 +17,9 @@ inputs:
   repositories:
     description: "Comma or newline-separated list of repositories to install the GitHub App on (defaults to current repository if owner is unset)"
     required: false
+  enterprise:
+    description: "The slug version of the enterprise name for enterprise-level app installations (cannot be used with 'owner' or 'repositories')"
+    required: false
   skip-token-revoke:
     description: "If true, the token will not be revoked when the current job is complete"
     required: false

dist/main.cjs

@@ -23153,60 +23153,44 @@ async function pRetry(input, options = {}) {
 }
 
 // lib/main.js
-async function main(appId, privateKey, owner, repositories, permissions, core, createAppAuth2, request2, skipTokenRevoke) {
-  let parsedOwner = "";
-  let parsedRepositoryNames = [];
-  if (!owner && repositories.length === 0) {
-    const [owner2, repo] = String(process.env.GITHUB_REPOSITORY).split("/");
-    parsedOwner = owner2;
-    parsedRepositoryNames = [repo];
-    core.info(
-      `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (${owner2}/${repo}).`
-    );
-  }
-  if (owner && repositories.length === 0) {
-    parsedOwner = owner;
-    core.info(
-      `Input 'repositories' is not set. Creating token for all repositories owned by ${owner}.`
-    );
-  }
-  if (!owner && repositories.length > 0) {
-    parsedOwner = String(process.env.GITHUB_REPOSITORY_OWNER);
-    parsedRepositoryNames = repositories;
-    core.info(
-      `No 'owner' input provided. Using default owner '${parsedOwner}' to create token for the following repositories:${repositories.map((repo) => `
-- ${parsedOwner}/${repo}`).join("")}`
-    );
-  }
-  if (owner && repositories.length > 0) {
-    parsedOwner = owner;
-    parsedRepositoryNames = repositories;
-    core.info(
-      `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
-      ${repositories.map((repo) => `
-- ${parsedOwner}/${repo}`).join("")}`
-    );
+async function main(appId, privateKey, enterprise, owner, repositories, permissions, core, createAppAuth2, request2, skipTokenRevoke) {
+  if (enterprise && (owner || repositories.length > 0)) {
+    throw new Error("Cannot use 'enterprise' input with 'owner' or 'repositories' inputs");
   }
+  const target = resolveInstallationTarget(enterprise, owner, repositories, core);
   const auth5 = createAppAuth2({
     appId,
     privateKey,
     request: request2
   });
   let authentication, installationId, appSlug;
-  if (parsedRepositoryNames.length > 0) {
+  if (target.type === "enterprise") {
+    ({ authentication, installationId, appSlug } = await pRetry(
+      () => getTokenFromEnterprise(request2, auth5, target.enterprise, permissions),
+      {
+        shouldRetry: ({ error: error2 }) => error2.status >= 500,
+        onFailedAttempt: (context) => {
+          core.info(
+            `Failed to create token for enterprise "${target.enterprise}" (attempt ${context.attemptNumber}): ${context.error.message}`
+          );
+        },
+        retries: 3
+      }
+    ));
+  } else if (target.type === "repository") {
     ({ authentication, installationId, appSlug } = await pRetry(
       () => getTokenFromRepository(
         request2,
         auth5,
-        parsedOwner,
-        parsedRepositoryNames,
+        target.owner,
+        target.repositories,
         permissions
       ),
       {
         shouldRetry: ({ error: error2 }) => error2.status >= 500,
         onFailedAttempt: (context) => {
           core.info(
-            `Failed to create token for "${parsedRepositoryNames.join(
+            `Failed to create token for "${target.repositories.join(
               ","
             )}" (attempt ${context.attemptNumber}): ${context.error.message}`
           );
@@ -23216,11 +23200,11 @@ async function main(appId, privateKey, owner, repositories, permissions, core, c
     ));
   } else {
     ({ authentication, installationId, appSlug } = await pRetry(
-      () => getTokenFromOwner(request2, auth5, parsedOwner, permissions),
+      () => getTokenFromOwner(request2, auth5, target.owner, permissions),
       {
         onFailedAttempt: (context) => {
           core.info(
-            `Failed to create token for "${parsedOwner}" (attempt ${context.attemptNumber}): ${context.error.message}`
+            `Failed to create token for "${target.owner}" (attempt ${context.attemptNumber}): ${context.error.message}`
           );
         },
         retries: 3
@@ -23236,21 +23220,68 @@ async function main(appId, privateKey, owner, repositories, permissions, core, c
     core.saveState("expiresAt", authentication.expiresAt);
   }
 }
+function resolveInstallationTarget(enterprise, owner, repositories, core) {
+  if (enterprise) {
+    core.info(`Creating enterprise installation token for enterprise "${enterprise}".`);
+    return { type: "enterprise", enterprise };
+  }
+  if (!owner && repositories.length === 0) {
+    const [defaultOwner, repo] = String(process.env.GITHUB_REPOSITORY).split("/");
+    core.info(
+      `Inputs 'owner' and 'repositories' are not set. Creating token for this repository (${defaultOwner}/${repo}).`
+    );
+    return {
+      type: "repository",
+      owner: defaultOwner,
+      repositories: [repo]
+    };
+  }
+  if (owner && repositories.length === 0) {
+    core.info(
+      `Input 'repositories' is not set. Creating token for all repositories owned by ${owner}.`
+    );
+    return { type: "owner", owner };
+  }
+  const parsedOwner = owner || String(process.env.GITHUB_REPOSITORY_OWNER);
+  if (!owner) {
+    core.info(
+      `No 'owner' input provided. Using default owner '${parsedOwner}' to create token for the following repositories:${repositories.map((repo) => `
+- ${parsedOwner}/${repo}`).join("")}`
+    );
+  } else {
+    core.info(
+      `Inputs 'owner' and 'repositories' are set. Creating token for the following repositories:
+      ${repositories.map((repo) => `
+- ${parsedOwner}/${repo}`).join("")}`
+    );
+  }
+  return {
+    type: "repository",
+    owner: parsedOwner,
+    repositories
+  };
+}
+async function createInstallationAuthResult(auth5, installation, permissions, options = {}) {
+  const authentication = await auth5({
+    type: "installation",
+    installationId: installation.id,
+    permissions,
+    ...options
+  });
+  return {
+    authentication,
+    installationId: installation.id,
+    appSlug: installation["app_slug"]
+  };
+}
 async function getTokenFromOwner(request2, auth5, parsedOwner, permissions) {
   const response = await request2("GET /users/{username}/installation", {
     username: parsedOwner,
     request: {
       hook: auth5.hook
     }
   });
-  const authentication = await auth5({
-    type: "installation",
-    installationId: response.data.id,
-    permissions
-  });
-  const installationId = response.data.id;
-  const appSlug = response.data["app_slug"];
-  return { authentication, installationId, appSlug };
+  return createInstallationAuthResult(auth5, response.data, permissions);
 }
 async function getTokenFromRepository(request2, auth5, parsedOwner, parsedRepositoryNames, permissions) {
   const response = await request2("GET /repos/{owner}/{repo}/installation", {
@@ -23260,15 +23291,28 @@ async function getTokenFromRepository(request2, auth5, parsedOwner, parsedReposi
       hook: auth5.hook
     }
   });
-  const authentication = await auth5({
-    type: "installation",
-    installationId: response.data.id,
-    repositoryNames: parsedRepositoryNames,
-    permissions
+  return createInstallationAuthResult(auth5, response.data, permissions, {
+    repositoryNames: parsedRepositoryNames
   });
-  const installationId = response.data.id;
-  const appSlug = response.data["app_slug"];
-  return { authentication, installationId, appSlug };
+}
+async function getTokenFromEnterprise(request2, auth5, enterprise, permissions) {
+  let response;
+  try {
+    response = await request2("GET /enterprises/{enterprise}/installation", {
+      enterprise,
+      request: {
+        hook: auth5.hook
+      }
+    });
+  } catch (error2) {
+    if (error2.status === 404) {
+      throw new Error(
+        `No enterprise installation found matching the name ${enterprise}.`
+      );
+    }
+    throw error2;
+  }
+  return createInstallationAuthResult(auth5, response.data, permissions);
 }
 
 // lib/request.js
@@ -23309,13 +23353,15 @@ async function run() {
   ensureNativeProxySupport();
   const appId = getInput("app-id");
   const privateKey = getInput("private-key");
+  const enterprise = getInput("enterprise");
   const owner = getInput("owner");
   const repositories = getInput("repositories").split(/[\n,]+/).map((s) => s.trim()).filter((x) => x !== "");
   const skipTokenRevoke = getBooleanInput("skip-token-revoke");
   const permissions = getPermissionsFromInputs(process.env);
   return main(
     appId,
     privateKey,
+    enterprise,
     owner,
     repositories,
     permissions,