Token seems to expire after 1h

[Afoucaul]

I'm running a workflow (target-workflow.yml) in another repository (target-repo) of my organization using https://github.com/aurelien-baudet/workflow-dispatch (v2).
To that end I'm generating an app token with actions/create-github-app-token@v1.
I can generate the token with no issues, and aurelien-baudet/workflow-dispatch@v2 manages to trigger target-workflow.yml all right as well.
However, after some time, fetching the status of target-workflow starts to fail with Warning: Failed to get workflow status: Bad credentials. This causes my parent job to fail.
That seems to start happening after exactly 1h.

Am I correct that the token expires after 1h? Is it documented somewhere?
Also, is there a way to extend the lifetime of this token? Otherwise, do you suggest a workaround?

My workflow:

name: Run target-workflow.yml in other target-repo

permissions:
  id-token: write
  contents: read

jobs:
  run-target-workflow:
    name: Run target-workflow
    runs-on: ubuntu-latest
    steps:
      - uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ...  # My app id
          private-key: ...  # My private key
          repositories: "target-repo"

      - name: Run workflow in target-repo
        uses: aurelien-baudet/workflow-dispatch@v2
        with:
          ref: main
          repo: target-repo
          workflow: target-workflow.yml
          wait-for-completion: true
          wait-for-completion-timeout: 2h
          token: ${{ steps.app-token.outputs.token }}
          inputs: ...  # The relevant inputs to target-workflow

The output of aurelien-baudet/workflow-dispatch@v2 step:

Run aurelien-baudet/workflow-dispatch@v2
Workflow triggered 🚀
You can follow the running workflow here: https://github.com/...
Warning: The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
Waiting for workflow completion
Warning: Failed to get workflow status: Bad credentials
Warning: Failed to get workflow status: Bad credentials
Warning: Failed to get workflow status: Bad credentials
... 

[gr2m]

That seems to start happening after exactly 1h.

That is by design. Installation access tokens expire after 1h, there is no way to extend it, I'm afraid. We should probably document that in the README for folks who don't know. We could even log out a message for folks to see when they investigate problems. We could also export the expiration time as an additional output 🤔

[Afoucaul]

Thanks for the insight! Now I know it's expected, I'll look for a workaround 🙂

[gr2m]

For long-running processes, I usually write my actions to accept the app ID and private key. If you build your action in JS/TS, you can use the App constructor which provides lots of helpful APIs: https://github.com/octokit/octokit.js?tab=readme-ov-file#app-client. If you use the app.getInstallationOctokit(installationId) API, the returned octokit instance will auto-renew the installation access token.

If you want something lower-level, you can use @octokit/auth-app: https://github.com/octokit/auth-app.js?tab=readme-ov-file#authenticate-as-installation. When you use the authentication strategy with an Octokit constructor, it will auto-renew the installation access token as well.

[danra]

That is by design. Installation access tokens expire after 1h, there is no way to extend it, I'm afraid. We should probably document that in the README for folks who don't know.

Please do! I wasn't aware of this limitation and started relying on the app in my workflows. I would have re-evaluated if this limitation was documented. I suggest also mentioning the auto-renewal options you listed.

[gr2m]

Please do!

can you have a look and tell if it is clear?
#141

[danra]

Perfect