Files
shockbot/get-installation-token
Colin McDonnell 4b3c5ca905 rename agent key to opencode and add skill invocation coverage (#541)
* rename agent key to opencode and add skill invocation coverage.

add skill-invoke tests for claude and opencode with local play-based validation signals, update CI matrices, and include the current tracked refactors in this branch for review.

Made-with: Cursor

* exclude agent-specific skill-invoke tests from wrong agent in CI matrix

* address review follow-up and preserve workflow run UI tweak.

switch changed-agents ci coverage to exercise the opentoad implementation path while keeping the opencode expectation, and include the local workflow run client interaction updates requested on this branch.

Made-with: Cursor

* remove opentoad agent filename from runtime.

rename the opencode harness implementation file from opentoad.ts to opencode.ts and update ci coverage input accordingly so action code no longer carries the old filename.

Made-with: Cursor

* ensure security prompt bypass is set on every test fixture.

this keeps adversarial and permissions harnesses from being blocked by the default prompt-injection refusal path during CI security tests.

Made-with: Cursor

---------

Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
2026-04-15 19:38:36 +00:00
..

pullfrog/get-installation-token

Get a GitHub App installation token in a workflow job. This convenience action makes it easier to integrate Pullfrog into existing CI workflows.

This action:

  • Provides a GitHub App installation token for later workflow steps.
  • Works for the current repository out of the box.
  • Can optionally include additional repositories.
  • Masks the token in logs.
  • Revokes the token automatically in the post step.

Requirements

  • Workflow or job permissions must include id-token: write.
  • The Pullfrog GitHub App must be installed on the target repositories.
  • If you pass repos, each repository must be installed for the same app installation.

Inputs

Name Required Description
repos no Comma-separated additional repo names to include, for example: repo1,repo2. The current repo is always included.

Outputs

Name Description
token GitHub App installation token

Usage

Basic (current repo only)

permissions:
  id-token: write
  contents: read

jobs:
  example:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Get installation token
        id: token
        uses: ./action/get-installation-token

      - name: Call GitHub API with token
        run: gh api repos/${{ github.repository }}
        env:
          GH_TOKEN: ${{ steps.token.outputs.token }}

Include extra repositories

permissions:
  id-token: write
  contents: read

jobs:
  example:
    runs-on: ubuntu-latest
    steps:
      - name: Get token for current repo plus extra repos
        id: token
        uses: ./action/get-installation-token
        with:
          repos: pullfrog,app

      - name: Checkout another repo with installation token
        uses: actions/checkout@v4
        with:
          repository: pullfrog/pullfrog
          token: ${{ steps.token.outputs.token }}
          path: action-repo

Notes

  • repos expects repository names, not owner/repo.
  • Token lifetime is managed by GitHub, but this action also revokes the token during post-run cleanup.
  • Prefer step output usage (${{ steps.<id>.outputs.token }}) rather than writing tokens to files.

Troubleshooting

  • Error: id-token permission is required: Add id-token: write in workflow or job permissions.
  • Token works for current repo but not an extra repo: Ensure that repository is listed in repos and the app installation has access to it.