refactor: keep SSH signing cleanup and token revocation as separate action steps

Move SSH signing key cleanup and app token revocation back to separate composite action steps in action.yml with always() conditions, rather than handling them inside run.ts. This keeps these cleanup concerns as independently visible steps in the workflow.
2026-02-03 18:43:46 -08:00 · 2026-02-03 18:43:46 -08:00 · 6e5825aa53
commit 6e5825aa53
parent 3d8ead909f
2 changed files with 18 additions and 52 deletions
--- a/action.yml
+++ b/action.yml
@ -270,3 +270,20 @@ runs:
        OTEL_METRIC_EXPORT_INTERVAL: ${{ env.OTEL_METRIC_EXPORT_INTERVAL }}
        OTEL_LOGS_EXPORT_INTERVAL: ${{ env.OTEL_LOGS_EXPORT_INTERVAL }}
        OTEL_RESOURCE_ATTRIBUTES: ${{ env.OTEL_RESOURCE_ATTRIBUTES }}
+
+    - name: Cleanup SSH signing key
+      if: always() && inputs.ssh_signing_key != ''
+      shell: bash
+      run: |
+        bun run ${GITHUB_ACTION_PATH}/src/entrypoints/cleanup-ssh-signing.ts
+
+    - name: Revoke app token
+      if: always() && inputs.github_token == '' && steps.run.outputs.skipped_due_to_workflow_validation_mismatch != 'true'
+      shell: bash
+      run: |
+        curl -L \
+          -X DELETE \
+          -H "Accept: application/vnd.github+json" \
+          -H "Authorization: Bearer ${{ steps.run.outputs.github_token }}" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          ${GITHUB_API_URL:-https://api.github.com}/installation/token
--- a/src/entrypoints/run.ts
+++ b/src/entrypoints/run.ts
@ -22,9 +22,6 @@ import { collectActionInputsPresence } from "./collect-inputs";
 import { updateCommentLink } from "./update-comment-link";
 import { formatTurnsFromData } from "./format-turns";
 import type { Turn } from "./format-turns";
-import { cleanupSshSigning } from "../github/operations/git-config";
-import { GITHUB_API_URL } from "../github/api/config";
-
 // Base-action imports (used directly instead of subprocess)
 import { validateEnvironmentVariables } from "../../base-action/src/validate-env";
 import { setupClaudeCodeSettings } from "../../base-action/src/setup-claude-code-settings";
@ -126,32 +123,6 @@ async function writeStepSummary(executionFile: string): Promise<void> {
  }
 }

-/**
- * Revoke the GitHub App installation token.
- */
-async function revokeAppToken(githubToken: string): Promise<void> {
-  try {
-    const apiUrl = GITHUB_API_URL;
-    const response = await fetch(`${apiUrl}/installation/token`, {
-      method: "DELETE",
-      headers: {
-        Accept: "application/vnd.github+json",
-        Authorization: `Bearer ${githubToken}`,
-        "X-GitHub-Api-Version": "2022-11-28",
-      },
-    });
-    if (response.ok) {
-      console.log("App token revoked successfully");
-    } else {
-      console.error(
-        `Failed to revoke app token: ${response.status} ${response.statusText}`,
-      );
-    }
-  } catch (error) {
-    console.error("Error revoking app token:", error);
-  }
-}
-
 async function run() {
  let githubToken: string | undefined;
  let commentId: number | undefined;
@ -163,10 +134,6 @@ async function run() {
  let prepareError: string | undefined;
  let context: GitHubContext | undefined;
  let octokit: Octokits | undefined;
-  let useSshSigning = false;
-  let useOverrideToken = false;
-  let skippedDueToWorkflowValidation = false;
-
  try {
    // Phase 1: Prepare
    const actionInputsPresent = collectActionInputsPresence();
@ -177,7 +144,6 @@ async function run() {
      githubToken = await setupGitHubToken();
    } catch (error) {
      if (error instanceof WorkflowValidationSkipError) {
-        skippedDueToWorkflowValidation = true;
        core.setOutput("skipped_due_to_workflow_validation_mismatch", "true");
        console.log("Exiting due to workflow validation skip");
        return;
@ -185,7 +151,6 @@ async function run() {
      throw error;
    }

-    useOverrideToken = !!process.env.OVERRIDE_GITHUB_TOKEN;
    octokit = createOctokit(githubToken);

    // Set GITHUB_TOKEN and GH_TOKEN in process env for downstream usage
@ -198,7 +163,7 @@ async function run() {
        octokit.rest,
        context,
        context.inputs.allowedNonWriteUsers,
-        useOverrideToken,
+        !!process.env.OVERRIDE_GITHUB_TOKEN,
      );
      if (!hasWritePermissions) {
        throw new Error(
@ -230,8 +195,6 @@ async function run() {
    commentId = prepareResult.commentId;
    claudeBranch = prepareResult.branchInfo.claudeBranch;
    baseBranch = prepareResult.branchInfo.baseBranch;
-    useSshSigning = !!context.inputs.sshSigningKey;
-
    // Set system prompt if available
    if (mode.getSystemPrompt) {
      const modeContext = mode.prepareContext(context, {
@ -336,20 +299,6 @@ async function run() {
      await writeStepSummary(executionFile);
    }

-    // Cleanup SSH signing key
-    if (useSshSigning) {
-      try {
-        await cleanupSshSigning();
-      } catch (error) {
-        console.error("Failed to cleanup SSH signing key:", error);
-      }
-    }
-
-    // Revoke app token (only if we're using the app token, not an override)
-    if (githubToken && !useOverrideToken && !skippedDueToWorkflowValidation) {
-      await revokeAppToken(githubToken);
-    }
-
    // Set remaining action-level outputs
    core.setOutput("branch_name", claudeBranch);
    core.setOutput("github_token", githubToken);