cc46af0d47
* share GitHub rate limit tracking between the action and the worker The action now counts all GitHub API requests and captures the latest `x-ratelimit-remaining`/`x-ratelimit-reset` headers via a global request hook on every Octokit instance. On exit, the usage summary is written atomically to a path specified by `PULLFROG_USAGE_SUMMARY_PATH`. The worker sets this env var before sandbox execution, reads the file afterward, and feeds the data into the Durable Object's rate limit state. This closes the visibility gap where the worker had no insight into API calls made by the sandboxed action process. * address review: refactor rate limit state, randomize usage summary path * track actual rate limit cost using x-ratelimit-remaining delta * refactor usage summary writing to use onExitSignal API Replace the monolithic registerUsageSummaryHandler with direct use of onExitSignal in main.ts and a writeGitHubUsageSummaryToFile utility in github.ts. This keeps exitHandler.ts as a pure signal handler registry (from #299) and also writes the summary on normal exit. * tweak * unify * deduplicate stuff * improve error handling --------- Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com> Co-authored-by: Mateusz Burzyński <mateuszburzynski@gmail.com>
pullfrog/get-installation-token
Get a GitHub App installation token in a workflow job. This convenience action makes it easier to integrate Pullfrog into existing CI workflows.
This action:
- Provides a GitHub App installation token for later workflow steps.
- Works for the current repository out of the box.
- Can optionally include additional repositories.
- Masks the token in logs.
- Revokes the token automatically in the post step.
Requirements
- Workflow or job permissions must include
id-token: write. - The Pullfrog GitHub App must be installed on the target repositories.
- If you pass
repos, each repository must be installed for the same app installation.
Inputs
| Name | Required | Description |
|---|---|---|
repos |
no | Comma-separated additional repo names to include, for example: repo1,repo2. The current repo is always included. |
Outputs
| Name | Description |
|---|---|
token |
GitHub App installation token |
Usage
Basic (current repo only)
permissions:
id-token: write
contents: read
jobs:
example:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Get installation token
id: token
uses: ./action/get-installation-token
- name: Call GitHub API with token
run: gh api repos/${{ github.repository }}
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
Include extra repositories
permissions:
id-token: write
contents: read
jobs:
example:
runs-on: ubuntu-latest
steps:
- name: Get token for current repo plus extra repos
id: token
uses: ./action/get-installation-token
with:
repos: pullfrog,app
- name: Checkout another repo with installation token
uses: actions/checkout@v4
with:
repository: pullfrog/pullfrog
token: ${{ steps.token.outputs.token }}
path: action-repo
Notes
reposexpects repository names, notowner/repo.- Token lifetime is managed by GitHub, but this action also revokes the token during post-run cleanup.
- Prefer step output usage (
${{ steps.<id>.outputs.token }}) rather than writing tokens to files.
Troubleshooting
Error: id-token permission is required: Addid-token: writein workflow or job permissions.- Token works for current repo but not an extra repo:
Ensure that repository is listed in
reposand the app installation has access to it.