fix: handle clock skew (#87)

GitHub's macOS runners for the past while have had some bad clock drift
which sometimes prevents this action from working with the error:

```console
'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued
```

`@octokit/auth-app` already has logic to handle this so we can defer to
that code.

Author: Bo98

dist/main.cjs

@@ -10390,12 +10390,9 @@ async function main(appId2, privateKey2, owner2, repositories2, core2, createApp
     privateKey: privateKey2,
     request: request2
   });
-  const appAuthentication = await auth({
-    type: "app"
-  });
   let authentication;
   if (parsedRepositoryNames) {
-    authentication = await pRetry(() => getTokenFromRepository(request2, auth, parsedOwner, appAuthentication, parsedRepositoryNames), {
+    authentication = await pRetry(() => getTokenFromRepository(request2, auth, parsedOwner, parsedRepositoryNames), {
       onFailedAttempt: (error) => {
         core2.info(
           `Failed to create token for "${parsedRepositoryNames}" (attempt ${error.attemptNumber}): ${error.message}`
@@ -10404,7 +10401,7 @@ async function main(appId2, privateKey2, owner2, repositories2, core2, createApp
       retries: 3
     });
   } else {
-    authentication = await pRetry(() => getTokenFromOwner(request2, auth, appAuthentication, parsedOwner), {
+    authentication = await pRetry(() => getTokenFromOwner(request2, auth, parsedOwner), {
       onFailedAttempt: (error) => {
         core2.info(
           `Failed to create token for "${parsedOwner}" (attempt ${error.attemptNumber}): ${error.message}`
@@ -10419,19 +10416,19 @@ async function main(appId2, privateKey2, owner2, repositories2, core2, createApp
     core2.saveState("token", authentication.token);
   }
 }
-async function getTokenFromOwner(request2, auth, appAuthentication, parsedOwner) {
+async function getTokenFromOwner(request2, auth, parsedOwner) {
   const response = await request2("GET /orgs/{org}/installation", {
     org: parsedOwner,
-    headers: {
-      authorization: `bearer ${appAuthentication.token}`
+    request: {
+      hook: auth.hook
     }
   }).catch((error) => {
     if (error.status !== 404)
       throw error;
     return request2("GET /users/{username}/installation", {
       username: parsedOwner,
-      headers: {
-        authorization: `bearer ${appAuthentication.token}`
+      request: {
+        hook: auth.hook
       }
     });
   });
@@ -10441,12 +10438,12 @@ async function getTokenFromOwner(request2, auth, appAuthentication, parsedOwner)
   });
   return authentication;
 }
-async function getTokenFromRepository(request2, auth, parsedOwner, appAuthentication, parsedRepositoryNames) {
+async function getTokenFromRepository(request2, auth, parsedOwner, parsedRepositoryNames) {
   const response = await request2("GET /repos/{owner}/{repo}/installation", {
     owner: parsedOwner,
     repo: parsedRepositoryNames.split(",")[0],
-    headers: {
-      authorization: `bearer ${appAuthentication.token}`
+    request: {
+      hook: auth.hook
     }
   });
   const authentication = await auth({

lib/main.js

@@ -70,15 +70,11 @@ export async function main(
     request,
   });
 
-  const appAuthentication = await auth({
-    type: "app",
-  });
-
   let authentication;
   // If at least one repository is set, get installation ID from that repository
 
   if (parsedRepositoryNames) {
-    authentication = await pRetry(() => getTokenFromRepository(request, auth, parsedOwner,appAuthentication, parsedRepositoryNames), {
+    authentication = await pRetry(() => getTokenFromRepository(request, auth, parsedOwner, parsedRepositoryNames), {
       onFailedAttempt: (error) => {
         core.info(
           `Failed to create token for "${parsedRepositoryNames}" (attempt ${error.attemptNumber}): ${error.message}`
@@ -89,7 +85,7 @@ export async function main(
 
   } else {
     // Otherwise get the installation for the owner, which can either be an organization or a user account
-    authentication = await pRetry(() => getTokenFromOwner(request, auth, appAuthentication, parsedOwner), {
+    authentication = await pRetry(() => getTokenFromOwner(request, auth, parsedOwner), {
       onFailedAttempt: (error) => {
         core.info(
           `Failed to create token for "${parsedOwner}" (attempt ${error.attemptNumber}): ${error.message}`
@@ -110,12 +106,12 @@ export async function main(
   }
 }
 
-async function getTokenFromOwner(request, auth, appAuthentication, parsedOwner) {
+async function getTokenFromOwner(request, auth, parsedOwner) {
   // https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-an-organization-installation-for-the-authenticated-app
   const response = await request("GET /orgs/{org}/installation", {
     org: parsedOwner,
-    headers: {
-      authorization: `bearer ${appAuthentication.token}`,
+    request: {
+      hook: auth.hook,
     },
   }).catch((error) => {
     /* c8 ignore next */
@@ -124,8 +120,8 @@ async function getTokenFromOwner(request, auth, appAuthentication, parsedOwner)
     // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-user-installation-for-the-authenticated-app
     return request("GET /users/{username}/installation", {
       username: parsedOwner,
-      headers: {
-        authorization: `bearer ${appAuthentication.token}`,
+      request: {
+        hook: auth.hook,
       },
     });
   });
@@ -138,13 +134,13 @@ async function getTokenFromOwner(request, auth, appAuthentication, parsedOwner)
   return authentication;
 }
 
-async function getTokenFromRepository(request, auth, parsedOwner,appAuthentication, parsedRepositoryNames) {
+async function getTokenFromRepository(request, auth, parsedOwner, parsedRepositoryNames) {
   // https://docs.github.com/rest/apps/apps?apiVersion=2022-11-28#get-a-repository-installation-for-the-authenticated-app
   const response = await request("GET /repos/{owner}/{repo}/installation", {
     owner: parsedOwner,
     repo: parsedRepositoryNames.split(",")[0],
-    headers: {
-      authorization: `bearer ${appAuthentication.token}`,
+    request: {
+      hook: auth.hook,
     },
   });
 

package-lock.json

@@ -18,6 +18,7 @@
     "p-retry": "^6.1.0"
   },
   "devDependencies": {
+    "@sinonjs/fake-timers": "^11.2.2",
     "ava": "^5.3.1",
     "c8": "^8.0.1",
     "dotenv": "^16.3.1",

package.json

@@ -0,0 +1,56 @@
+import { test } from "./main.js";
+
+import { install } from "@sinonjs/fake-timers";
+
+// Verify `main` retry when the clock has drifted.
+await test((mockPool) => {
+  process.env.INPUT_OWNER = 'actions'
+  process.env.INPUT_REPOSITORIES = 'failed-repo';
+  const owner = process.env.INPUT_OWNER
+  const repo = process.env.INPUT_REPOSITORIES
+  const mockInstallationId = "123456";
+
+  install({ now: 0, toFake: ["Date"] });
+
+  mockPool
+    .intercept({
+      path: `/repos/${owner}/${repo}/installation`,
+      method: "GET",
+      headers: {
+        accept: "application/vnd.github.v3+json",
+        "user-agent": "actions/create-github-app-token",
+        // Intentionally omitting the `authorization` header, since JWT creation is not idempotent.
+      },
+    })
+    .reply(({ headers }) => {
+      const [_, jwt] = (headers.authorization || "").split(" ");
+      const payload = JSON.parse(Buffer.from(jwt.split(".")[1], "base64").toString());
+
+      if (payload.iat < 0) {
+        return {
+          statusCode: 401,
+          data: {
+            message: "'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued."
+          },
+          responseOptions: {
+            headers: {
+              "content-type": "application/json",
+              "date": new Date(Date.now() + 30000).toUTCString()
+            }
+          }
+        };
+      }
+
+      return {
+        statusCode: 200,
+        data: {
+          id: mockInstallationId
+        },
+        responseOptions: {
+          headers: {
+            "content-type": "application/json"
+          }
+        }
+      };
+    }).times(2);
+});